Brevo (Sendinblue) Cookie Consent Integration Guide: GDPR Compliance for Email and SMS Marketing in 2026
Brevo, the platform formerly known as Sendinblue, is the most widely deployed email and SMS marketing platform headquartered in continental Europe. Its rebrand in 2023 coincided with a substantial expansion of the product surface: alongside the original email automation engine, Brevo now includes transactional email, SMS marketing, WhatsApp messaging, a sales CRM, a meeting scheduler, push notifications, and a website conversation widget. Each component installs its own script, sets its own cookies, and forwards data to Brevo's European data centers. The platform's French heritage matters for consent compliance in two ways. First, Brevo's data centers are EU-based, which simplifies the cross-border transfer analysis substantially compared to US-based competitors. Second, the CNIL — Brevo's home regulator — has been the most aggressive enforcer of cookie consent rules in Europe, which means Brevo's default integration documentation has historically lagged behind what the regulator actually expects. This guide walks through what each Brevo component collects, where the consent boundary sits in 2026, and how to wire the full Brevo stack to a third-party CMP cleanly.
The Brevo Tracking Surfaces
A full Brevo deployment touches four distinct tracking surfaces, each with its own consent question.
Brevo Tracker (sib-tracker.js)
The Brevo Tracker is the behavioral analytics layer, loaded from cdn.brevo.com/js/sib-tracker.js. It identifies visitors with the sib-tracker-id cookie and reports pageview, click, and custom event payloads to Brevo. Once a visitor is identified by email (typically through a form submission or login), the Tracker links the anonymous browsing history to the known contact profile. From a regulatory perspective the Tracker is a marketing-purpose behavioral tracker requiring opt-in consent in the EU.
Brevo Signup Forms
Brevo forms come in two flavors: embedded HTML forms (lightweight, no external script needed) and popup forms (a separate script that watches visitor behavior to decide when to display). The embedded form is roughly equivalent to a contact form from a privacy perspective; the popup form is closer to a behavioral tracker and requires the same gating as the Tracker.
Brevo Conversations widget
The Conversations product (Brevo's live chat) loads its own script from conversations-widget.brevo.com, sets session cookies, and initiates a real-time presence connection. Functionally similar to Intercom's Messenger; consent treatment is identical.
Transactional and Programmatic APIs
Brevo also operates server-side surfaces: the Transactional Email API for system-generated messages, the SMS API for outbound texts, and the Marketing Automation API for triggered campaigns. These do not run on the user's device but the email-tracking pixels embedded in messages do — and those pixels are a separate consent surface inheriting the same constraints as web pixels under Apple Mail Privacy Protection and similar email-side protections.
Native Brevo Privacy Controls
Brevo has strengthened its native privacy primitives over the past two years, particularly in response to CNIL guidance on cookie banners and consent records.
The doubleOptinRedirect and confirmation flow
Brevo's default subscriber acquisition flow uses double opt-in — a subscriber signs up, receives a confirmation email, and must click to confirm. Under the GDPR this creates a documented consent record that is significantly stronger than single opt-in alternatives. Configure double opt-in by default unless there is a specific reason not to.
The trackEvent consent parameter
The Tracker's trackEvent function accepts an optional consent payload. Passing this lets you propagate the CMP's decision into Brevo's event stream, which Brevo's segmentation engine then respects. Wire it from the CMP's consent callback.
Contact-level consent fields
Brevo subscriber profiles have built-in fields for email consent, SMS consent, WhatsApp consent, and consent source. Updates via the Contacts API propagate to the segmentation logic in real time, so campaigns automatically respect the recorded state.
EU data residency
Brevo operates data centers in Paris and Munich. For accounts where EU residency matters, the data residency is automatic — no opt-in configuration needed. This is a meaningful operational simplification compared to US-based competitors where EU residency is a paid configuration option.
Step-by-Step CMP Integration
The reliable integration pattern is to defer every Brevo tracking surface behind the CMP and sync the consent decision to Brevo's contact-level fields via API.
1. Remove the default Tracker snippet from the document head
The Brevo Tracker installation snippet is a one-line script tag. Replace it with a placeholder script element with type="text/plain" and data-category="marketing". The CMP rewrites the type back to text/javascript when the visitor accepts marketing.
2. Defer popup forms separately from embedded forms
Embedded HTML signup forms can render on initial page load without gating — they do not set cookies and do not load external scripts. Popup forms must be gated under marketing consent, just like the Tracker. Most Brevo installations conflate the two; audit your form inventory and treat them differently.
3. Gate Conversations explicitly
The Conversations widget loads from conversations-widget.brevo.com and initializes a session connection on page load. Gate it behind marketing consent. For users who reject marketing, provide an alternative support contact path — a form, an email link, or an explicit "Start chat" button that loads the widget only when clicked.
4. Write the CMP decision to the contact profile
When a known subscriber updates their consent through the CMP banner, call the Brevo Contacts API to update the subscriber's email, SMS, and WhatsApp consent fields. This keeps Brevo's segmentation aligned with the recorded state. Most modern CMPs have a Brevo connector that handles this end-to-end.
5. Honor revocation in real time
On consent revocation, the CMP must call both the on-page Tracker shutdown function and the Contacts API endpoint to update the profile. Without both, the banner records a revocation but the underlying tracking continues on the contact level.
Common Pitfalls
Four integration mistakes account for most of the audit findings on Brevo deployments.
Single opt-in for European acquisitions
Brevo supports both single and double opt-in. Single opt-in creates a weaker consent record and has been cited by the CNIL in enforcement actions against several French and Belgian operators. For any European audience, configure double opt-in by default.
Conflating embedded and popup forms
Embedded forms are low-risk; popup forms are marketing-category tracking. Gate them differently. Treating both as "forms" and either gating both or gating neither is the single most common configuration defect.
Server-side API calls without consent context
The Transactional Email API and the SMS API can be called from your backend without the on-page consent state in scope. The backend must look up the contact's consent state at send time and respect it; otherwise the CMP's decision is not enforced for server-initiated messages.
Forgetting the email pixel
Brevo email tracking pixels are subject to the same Apple Mail Privacy Protection degradation as every other vendor's. The pixel still requires a separate consent decision distinct from the cookie consent on your website. Many operators record cookie consent but never explicitly record email-pixel consent.
Audit Checklist
Six concrete questions to answer for any Brevo deployment touching EU, UK, or California traffic.
- Does the Tracker wait for consent? Open the page in a private window and confirm no brevo.com or sendinblue.com requests fire before banner acceptance.
- Are popup forms gated separately from embedded forms? Confirm popup-form impressions do not fire before marketing consent.
- Is Conversations gated? Confirm the chat widget does not initialize before consent and a non-Conversations support path is available.
- Is double opt-in configured? Confirm the signup flow uses double opt-in for European audiences.
- Do server-side APIs honor consent? Confirm Transactional and SMS API calls check the contact's consent state before sending.
- Is the CMP decision synced to Brevo profiles? Confirm the CMP writes consent decisions to the Brevo contact via API.
Where Brevo Fits in a Consent-First Stack
Brevo sits in a privileged position relative to its US competitors: EU-resident data, double opt-in by default, and strong native consent primitives. The platform's French heritage means it has been designed against the CNIL's expectations from the start, which is a meaningful operational advantage when those expectations have become the de facto European standard. The integration work is mostly the same as any other marketing platform — gate the tracking surfaces, sync the consent decision via API, document the architecture — but the regulatory friction is lower than for US-headquartered alternatives. For European operators or for any small business that wants to keep its marketing stack inside the EU regulatory perimeter, Brevo combined with a properly integrated CMP is one of the most defensible postures available in 2026.