Why SaaS Products Don't Fit the Standard Consent Playbook
Most cookie consent guides assume a marketing website: a visitor lands, sees a banner, clicks accept or reject, and either gets tracked or doesn't. SaaS products break that model in several ways at once.
Your users are authenticated. They have sessions, auth tokens, CSRF protections, and feature flags — all stored as cookies that the product literally can't function without. At the same time, you're running Mixpanel to track feature adoption, Intercom to handle support, and maybe Heap to understand where users get stuck in onboarding. Those tools drop cookies too, but for very different reasons.
The result is a consent surface that's more complicated than a typical content site. You need to separate what's strictly necessary from what requires a consent decision, handle the differences between your marketing site and your app, and figure out whether your enterprise customer's DPA covers their employees' consent — or doesn't.
This guide walks through each of those problems with enough specificity to actually make decisions. It's aimed at SaaS founders, product managers, and engineering leads who need to ship product analytics without shipping a compliance liability.
Essential Cookies: What You Don't Need Consent For
Under both the GDPR and the ePrivacy Directive (Article 5(3)), cookies that are strictly necessary for providing a service the user explicitly requested are exempt from consent. For a SaaS product, that category is broader than you might expect — but it has hard limits.
Clearly essential (no consent required)
- Authentication tokens — session cookies, JWTs stored as cookies, and refresh tokens. Without these, the user can't stay logged in. That's the definition of "strictly necessary."
- CSRF tokens — these exist solely to prevent cross-site request forgery. Security cookies are necessary by definition.
- Session state — server-side session identifiers, load-balancer affinity cookies, and anything that maintains the stateful connection the user initiated.
- User preferences stored server-side via cookie key — language selection, timezone, accessibility settings. These serve the user's explicit request to configure their experience.
The feature-flag gray area
Feature flags get interesting. A cookie that stores which experiment variant a user is in could be essential (it prevents the UI from flickering between states on every page load) or it could be analytics-adjacent (you're using it to measure conversion). The distinction matters.
If the cookie's sole purpose is delivering a consistent UI experience — the user is in variant B and needs to stay there — that's a functional cookie and typically qualifies as strictly necessary. If you're also reading that cookie to feed experiment-outcome data into your analytics pipeline, the analytics use requires consent even though the rendering use doesn't. The cleanest approach: use server-side feature flag evaluation (LaunchDarkly, Unleash, or your own system) and don't store the assignment in a client-side cookie at all.
Product Analytics Cookies: Where Consent Becomes Mandatory
This is the core tension for SaaS teams. Product analytics tools are how you understand adoption, retention, and where users churn. But the cookies they drop don't serve the user — they serve you. And that distinction is the entire point of consent law.
Common SaaS Analytics Tools and Their Cookie Behavior
| Tool | Cookies Dropped | Purpose | Consent Required? |
|---|---|---|---|
| Mixpanel | mp_* distinct_id cookie, device tracking cookie | User identification, event tracking, cross-session persistence | Yes — analytics, not strictly necessary |
| Amplitude | AMP_* device ID cookie | Device-level identity, session tracking | Yes — analytics tracking |
| PostHog | ph_* cookie (or localStorage) | Distinct user ID, session recording consent, feature flags | Yes — even self-hosted instances need consent for the cookie itself |
| Heap | _hp2_id.* cookies | Auto-capture user identification, session stitching | Yes — auto-capture makes the cookie scope very broad |
| Google Analytics 4 | _ga, _ga_* cookies | Client ID, session tracking, cross-domain measurement | Yes — see our guide on GA4 privacy compliance |
Every one of these tools stores or reads information on the user's device for a purpose that isn't strictly necessary for delivering the service the user asked for. Under ePrivacy Article 5(3), that's the trigger — accessing information stored on the terminal equipment requires consent, period. It doesn't matter that you're using the data internally for product improvement rather than selling it to advertisers.
Self-hosting doesn't change this. PostHog's self-hosted deployment means data stays on your infrastructure, which is great for data sovereignty. But ePrivacy governs the act of setting the cookie, not where the data ends up. A self-hosted cookie still needs consent.
For a deeper look at how consent affects analytics reporting specifically, see measuring the impact of consent on your analytics.
The Legitimate Interest Argument — and Why It Usually Fails for Cookies
This is the most common misconception in SaaS privacy discussions. The argument goes: "We use product analytics to improve the product for our users. That's a legitimate interest under GDPR Article 6(1)(f), so we don't need consent."
The reasoning is half right and entirely misleading. Here's why.
GDPR's legitimate interest provision governs the processing of personal data. ePrivacy Article 5(3) governs storing or reading information on a user's device — like setting a cookie. These are two separate legal gates, and you need to clear both.
Even if you have a valid legitimate-interest basis for processing the analytics data itself (and that's arguable — several DPAs have pushed back), you still need consent for the cookie that collects it. Legitimate interest does not override the ePrivacy consent requirement for device storage. The EDPB has been clear on this, and multiple national DPAs — France's CNIL, Germany's DSK, Austria's DSB — have enforced it.
When legitimate interest actually works
Legitimate interest can serve as your GDPR lawful basis in two specific situations:
- Server-side analytics that never touch the user's device — if you're analyzing server logs, database events, or API call patterns without setting any client-side cookies or reading browser storage, the ePrivacy trigger doesn't fire. You still need a GDPR basis for processing the personal data (IP addresses, user IDs), and legitimate interest can fill that role.
- First-party, strictly necessary functional data — if the information you're collecting is already being processed as part of delivering the service (e.g., you log API response times to maintain SLA compliance), the data processing may have a legitimate-interest basis. But again, the moment you set a separate cookie for this purpose, ePrivacy consent kicks in.
The practical takeaway: if your analytics tool sets client-side cookies, you need consent. Full stop. Plan your architecture accordingly.
Customer Success Tools and Consent
Customer success platforms raise the same questions as analytics tools, and teams often forget to gate them.
Intercom sets cookies to recognize returning users and persist conversations. Pendo drops cookies for feature-usage tracking and in-app guidance. Zendesk's widget sets session cookies for chat continuity. The consent test is the same: if the cookie delivers a feature the user requested (an open support chat), it's arguably functional. If it tracks behavior for your CS team's benefit, it needs consent.
Most CS tools blend functional and analytics purposes in the same cookie. The safer approach: gate the widget behind consent unless you can prove every cookie it sets is strictly necessary. For more, see session replay and heatmap tools: the consent and privacy risks.
In-App Consent vs. Website Consent
Your marketing website and your application are two different consent contexts. Your public site runs GA4 and Meta Pixel for acquisition; your app runs Mixpanel and Intercom for product insights. A full-screen cookie banner inside your dashboard feels wrong — and it is, from a UX perspective.
Three approaches that work:
- Same CMP, different configurations — deploy CookieBeam on both your marketing site and your app with different banner designs and cookie categories. The marketing banner gates acquisition scripts; the in-app prompt (or a settings page) handles product analytics.
- Consent inherited at login — if your marketing site and app share a domain, consent preferences can carry over via first-party cookies. But if the cookie categories differ, the user still needs a chance to consent to the app-specific ones.
- Settings-based consent — provide a privacy section in your app settings where users review and toggle consent categories. Better UX for authenticated users and satisfies the GDPR requirement that withdrawing consent is as easy as giving it.
The worst option: running analytics scripts in your app without any consent mechanism because "they already accepted on the website." Unless the website consent explicitly covered the in-app tools, that's invalid.
Logged-In vs. Logged-Out Users
The consent requirements don't change based on authentication state — ePrivacy applies regardless. But the implementation should differ.
For logged-out visitors (marketing site, docs, trial sign-up), standard banner rules apply. Store consent in the CMP's own cookie and gate scripts accordingly.
For logged-in users, you have an identity, which opens better options: persist consent choices in your database so preferences follow users across devices, show contextual inline prompts instead of repeated banners, and provide a dedicated settings section for granular control. The result is a consent experience that's less repetitive, more informed, and tied to the account rather than a browser cookie that gets cleared.
B2B SaaS: Does the Company Consent, or the Individual?
Short answer: the individual user must consent, not their employer.
A Data Processing Agreement (DPA) with an enterprise customer governs how you process data on their behalf. It does not constitute consent from individual employees. Cookie consent belongs to the person whose device stores the cookie — an employer can't consent on their behalf.
The GDPR's contractual necessity basis (Article 6(1)(b)) can cover the processing if it's necessary to deliver the service. But the ePrivacy cookie trigger still applies: analytics cookies need consent regardless of your GDPR lawful basis.
Practical approaches: let enterprise admins set default consent preferences that individual users can override; document your cookies in the DPA so enterprise buyers aren't surprised (see data processing agreements with your CMP); and minimize what needs consent by moving analytics server-side where possible.
Server-Side Analytics: The Consent-Friendlier Alternative
Instead of JavaScript SDKs dropping cookies in the browser, you capture analytics events in your backend — API logs, database event streams, application instrumentation — and forward them to your analytics platform via server-to-server APIs. PostHog, Mixpanel, and Amplitude all support server-side ingestion.
If your server-side implementation genuinely doesn't set any client-side cookies or access browser storage, the ePrivacy consent trigger doesn't fire. You still need a GDPR lawful basis for processing the personal data (user IDs, IP addresses), and legitimate interest can work here as long as you've documented the balancing test. For architectural patterns, see server-side consent enforcement.
The limitations
- No client-side behavioral data — clicks, scroll depth, rage clicks, heatmaps, and session replays all require client-side instrumentation and therefore consent.
- Identity stitching is harder — without a client-side device ID cookie, connecting events across sessions requires the user to be logged in.
- Hybrid tools may still set cookies — loading PostHog's JS library for feature flags while using the server API for analytics sounds clean, but check whether the library sets cookies even in flag-only mode. Many do.
- GDPR still applies — server-side doesn't mean consent-free. Erasure requests (DSARs) cover server-side analytics data too. See DSAR handling.
Many SaaS teams find that 70-80% of actionable product insights come from server-side events — signups, feature activations, plan upgrades, churn — and only need client-side analytics for specific UX investigations.
How CookieBeam Handles SaaS Consent
CookieBeam was built with SaaS deployments in mind.
Auth cookie exemption — the cookie scanner automatically classifies auth, session, and CSRF cookies as strictly necessary. No manual configuration needed.
Script gating — non-essential scripts (Mixpanel, Amplitude, Intercom, Pendo) are blocked until the user consents, whether loaded via tag manager or direct injection. See how to block scripts until consent.
Dual-context deployment — one script tag works on both your marketing site and app dashboard, with different banner designs and cookie categories per context.
Consent logging — every decision is recorded with timestamp, categories, and jurisdiction for audit trails. See consent logging and audit requirements.
Continuous cookie scanning — CookieBeam detects new cookies as they appear across your domains, catching compliance gaps before they become problems. Read more about how cookie scanners work.
A Practical Checklist for SaaS Teams
- Inventory cookies by purpose — separate auth/session/CSRF (essential) from analytics and CS tools (consent required). Run an audit.
- Gate analytics scripts behind consent — Mixpanel, Amplitude, PostHog, Heap, GA4. No exceptions for internal use.
- Evaluate CS tools — Intercom, Pendo, Zendesk. If they set non-essential cookies, gate them.
- Separate marketing-site and in-app consent — different contexts, different configurations.
- Offer settings-based consent for logged-in users — better UX than repeated banners.
- Don't rely on enterprise DPAs for individual consent — the DPA covers your relationship with the customer, not the employee's cookie rights.
- Move core product metrics server-side — signups, activations, and churn are server-observable.
- Document your legitimate-interest assessment for server-side processing. Regulators ask for it.
- Monitor for new cookies continuously — every dependency update is a potential compliance gap.
The Bottom Line
SaaS consent isn't harder than website consent — it's just different. The cookie categories are different (auth tokens instead of ad pixels), the user context is different (authenticated, repeat visitors vs. anonymous first-timers), and the business relationships are different (B2B contracts vs. direct consumers).
The legal principles are the same: cookies that serve the user's request are exempt; everything else needs consent. The practical challenge is building a consent implementation that respects those principles without degrading the product experience your users are paying for.
The SaaS teams that get this right treat consent as a product feature, not a legal checkbox. They instrument server-side where they can, gate client-side tools properly, and give users genuine control through well-designed settings — not dark-pattern banners that pretend there's only one right answer.
That's not just good compliance. It's good product.