Skip to main content
Back to Guides
Customization6 min read

How to Migrate from Cookiebot to CookieBeam (Step by Step)

A Cookiebot-specific migration guide: export your consent records and cookie declaration, map Cookiebot's four categories, replace its blocking markup, and cut over to CookieBeam without breaking Consent Mode or losing consent history.

Switching CMPs Is More Than Swapping a Script Tag

Moving from Cookiebot to CookieBeam is straightforward if you plan it, and risky if you just delete one script and paste in another. Do it carelessly and you can lose years of consent records, break Google Consent Mode, or leave orphaned data-cookieconsent attributes that stop your tags from firing at all. This guide walks through a Cookiebot-specific migration: exactly which cookie and markup to look for, how to map Cookiebot's categories, and how to cut over cleanly.

This is the vendor-specific version of our general migrate your CMP without losing consent guide. If you're still deciding, start with CookieBeam vs Cookiebot.

Before You Touch Anything

  • Export your Cookiebot consent records

    In the Cookiebot Manager, export your consent logs (timestamp, pseudonymous consent ID, per-category state, and banner version). Under GDPR you may need to demonstrate consent for years, so keep this archive even after you cancel.

  • Export your Cookiebot cookie declaration

    Cookiebot's scanner produces a categorised cookie declaration. Export it so you have a reference inventory to compare against CookieBeam's own scan, don't assume the new scanner will find an identical list.

  • Document your four Cookiebot categories

    Cookiebot uses Necessary, Preferences, Statistics, and Marketing. Note which scripts and cookies you assigned to each, you'll remap these to CookieBeam categories.

  • Find the Cookiebot consent cookie

    In DevTools, locate the CookieConsent cookie. Its value encodes the visitor's per-category choices. You'll need to decide whether to read/migrate it or re-establish consent.

  • Locate every Cookiebot script reference

    Search your codebase and GTM for the loader (id="Cookiebot", uc.js, data-cbid), the cookie declaration embed (CookieDeclaration), and any manual data-cookieconsent attributes or type="text/plain" blocked scripts.

Step 1: Map Cookiebot Categories to CookieBeam

Cookiebot's four-category model maps cleanly onto CookieBeam's categories. Necessary stays necessary. Preferences becomes functional/preferences. Statistics becomes analytics. Marketing becomes marketing/advertising. Write the mapping down before you configure anything, because a category mismatch is the most common cause of scripts firing without consent (or never firing) after a migration.

Pay special attention to any script you had marked Necessary in Cookiebot. Migrations are a good moment to re-check those, tools sometimes get miscategorised as strictly necessary when they're actually analytics or marketing. Our guide on automated scanning vs manual audits covers how to verify categorisation.

Step 2: Preserve Consent Mode Signal Mapping

If you run Google tags, Cookiebot has been translating its categories into Consent Mode signals, typically Statistics into analytics_storage and Marketing into the ad_storage, ad_user_data, and ad_personalization signals, with Necessary always granting security_storage. CookieBeam sends the same Consent Mode v2 signals natively, but you must confirm the mapping matches so your Google Ads conversion modelling and GA4 don't lose data at cutover.

Check whether your Consent Mode was wired through GTM's built-in consent settings or through Cookiebot's template. Either way, verify that CookieBeam fires the default (denied) state before any Google tag loads, and updates it on the user's choice. See advanced vs basic Consent Mode for the timing details that matter here.

Step 3: Set Up CookieBeam and Scan

Create your CookieBeam banner and run a fresh cookie scan. Compare the results to the Cookiebot declaration you exported, then reconcile any differences: a good headless scanner often finds dynamically injected trackers that a lighter scan missed, and occasionally misses something that only loads on a specific page. Configure your categories per the mapping from Step 1, set your Consent Mode defaults, and configure regional rules. CookieBeam's per-country regional engine means one banner can cover GDPR, CCPA, LGPD, PIPEDA, and UK GDPR, so this is a good moment to tighten region behaviour if Cookiebot was showing one banner everywhere.

Step 4: Remove Cookiebot's Blocking Markup

This is the step people forget, and it breaks sites. How you clean up depends on which blocking mode you used:

  • If you used Cookiebot auto-blocking (data-blockingmode="auto"), Cookiebot rewrote script tags at runtime. Removing the Cookiebot loader stops that rewriting; CookieBeam's tag-based blocking takes over. Verify no third-party scripts were left permanently disabled.
  • If you used manual blocking, you tagged scripts with data-cookieconsent="statistics" (or marketing/preferences) and often type="text/plain". Those attributes are Cookiebot-specific. Leave them in place and your scripts may never execute, or execute uncontrolled, once Cookiebot is gone. Strip them and let CookieBeam manage blocking, or re-tag using CookieBeam's method.
  • Remove the cookie declaration embed. If you embedded Cookiebot's CookieDeclaration script on your cookie policy page, replace it with CookieBeam's declaration and preference-centre link.

Step 5: Run in Parallel on Staging, Then Cut Over

Deploy CookieBeam on a staging environment first and test the full flow: accept blocks nothing, reject blocks non-essential scripts, and partial choices behave per category. Confirm Consent Mode signals fire in the right order and that your GTM tags respect them. CookieBeam's environment model lets you validate on dev/staging before touching production.

When you cut over, replace the Cookiebot <script id="Cookiebot"> loader with CookieBeam's snippet in the same position (as early as possible in the <head>, before analytics and ad tags). Decide how to treat returning visitors who already hold a CookieConsent cookie: the cleanest and most defensible option is to let CookieBeam establish fresh consent under the new banner. If you need continuity, you can read the old cookie's per-category state and seed CookieBeam accordingly, just document the logic for your records.

Post-Migration Verification (First Two Weeks)

Don't Skip
  • Monitor consent rates. A sharp drop usually means a banner or blocking bug; a sharp rise can mean the new banner drifted toward a dark pattern. Compare against your Cookiebot baseline.
  • Confirm analytics continuity. Consent Mode disruptions cause data gaps that take 24-48 hours to surface in GA4 and Google Ads.
  • Run a fresh scan and review categorisations, especially anything previously marked Necessary.
  • Fully decommission Cookiebot. Remove the loader, the declaration embed, and any leftover data-cookieconsent attributes; cancel the subscription and retire the CBID. Keep your exported consent archive.

Common Cookiebot Migration Pitfalls

  • Leaving data-cookieconsent or type="text/plain" in place. These are Cookiebot-specific and will silently break script execution once Cookiebot is removed.
  • Losing the consent archive. Cancel Cookiebot before exporting logs and you may lose the records you need to demonstrate historical consent under GDPR.
  • Consent Mode signal mismatch. If CookieBeam's category-to-signal mapping doesn't match what Cookiebot sent, your Google conversion data can quietly degrade.
  • Forgetting the declaration embed. An orphaned Cookiebot CookieDeclaration on your policy page will show stale data or a broken widget.

For the underlying export, mapping, and parallel-run mechanics that apply to any CMP switch, keep our general CMP migration guide open alongside this one, and confirm the end state against the GDPR cookie compliance checklist.

The Bottom Line

A Cookiebot to CookieBeam migration is low-risk when you do it in order: export consent records and the cookie declaration first, map the four Cookiebot categories, preserve the Consent Mode signal mapping, strip Cookiebot's blocking markup, validate on staging, then cut over and monitor. The two failure modes that catch people are losing the consent archive and leaving data-cookieconsent attributes behind. Handle those, and returning visitors keep a working banner, your analytics stay intact, and your consent history survives the move.

Reference: Google's Consent Mode developer documentation for signal names and timing.

Migrate from Cookiebot to CookieBeam: Step-by-Step 2026 | CookieBeam | CookieBeam