Skip to main content

Managing Cookie Consent Across Multiple Domains

Rogelyn
Updated

When businesses operate across multiple domains and subdomains, such as www.domain1.io and app.domain1.io, questions often arise about how cookie and tracking consent should be managed.

This article explains best practices and compliance requirements.

This guidance is especially relevant for compliance in the US, EU/EEA, and UK, where consent requirements are strict and domain-specific.

 

Consent Across Domains and Subdomains

  • Subdomains (e.g., app.domain1.io): Consent can be shared across subdomains if configured correctly in your Consent Management Platform (CMP). This requires cookies to be set at the parent domain level (e.g., .domain1.io). You can look into this guide for more info: How do I share consent across subdomains?
  • Separate Domains: Consent obtained on www.domain1.io does not automatically transfer to app.domain1.io or other separate domains. Termly does not collect consent across multiple domains, only across subdomains when configured. This is especially important for compliance in the US, EU/EEA, and UK, where consent requirements are strict and domain-specific.

If users access a separate domain directly (e.g., via a saved link), they must be prompted for consent again if cookies or tracking differ.

 

Different Cookies or Tracking Technologies

  • If app.domain1.io uses cookies or tracking technologies that differ from www.domain1.io, separate consent must be obtained.
  • Each domain must disclose its specific tracking practices in its cookie banner and policies.
  • CMPs should be configured per domain unless a unified solution is implemented across all subdomains.

 

Sign-Up Agreements and Consent

  • A statement such as “By signing up, you are agreeing to our privacy and terms of service” does not replace cookie consent requirements under EU/EEA and UK law.
  • Explicit consent for cookies and tracking must still be obtained via a banner or CMP.
  • In the US, requirements are less prescriptive, but best practice is to maintain clear cookie notices and opt-out mechanisms.

 

Privacy Links and User Controls

  • EU/EEA and UK: Each domain (including app.domain1.io) must provide:
    • A Privacy Policy link
    • A Cookie Policy link
    • These should be accessible on every page, including after sign-in.
  • US: While not always legally mandated, transparency and user control are strongly recommended, especially under state laws like CCPA/CPRA.

 

Best Practices

  • Configure CMPs to handle subdomains consistently when possible. 
  • Deploy separate CMP instances if domains differ in cookies/trackers.
  • Harmonize policies across domains while ensuring domain-specific disclosures.
  • Maintain accessible privacy and cookie links across all user-facing pages.

Related articles