Skip to main content
Back to Guides
Compliance6 min read

Switching Analytics or Marketing Vendors? Handle the Cookie Changes

Replacing one tracking tool with another quietly rewrites your cookie inventory and your data recipients. Here's how to swap vendors without leaking trackers or orphaning cookies.

A vendor swap is a consent change in disguise

You're moving from Google Analytics to Matomo, or replacing one chat widget with another, or switching ad platforms. It feels like an internal tooling decision. In consent terms it's two events at once: you're removing one set of cookies and data recipients, and adding a different set. Both halves have compliance consequences, and teams routinely botch one or the other. They leave the old tracker running alongside the new one, or they drop the new one in without gating it, or they forget the old cookies still sitting in returning visitors' browsers.

This is different from migrating your consent platform itself. If you're changing your CMP, see migrating a CMP without losing consent. This guide is about swapping a tracking or marketing tool while your consent banner stays put.

The overlap window is where things go wrong

The riskiest moment is the transition, when both the old and new vendor are live at once. Teams run them in parallel to compare data or avoid a gap in measurement. That's reasonable, but during the overlap you now have double the trackers, and it's easy to lose track of which cookies belong to what. Keep the overlap short, deliberate, and documented. Know the date the old vendor comes out, and actually remove it on that date rather than letting it linger for months as dead weight that still sets cookies.

A tracker you stopped using but never removed is the worst of both worlds: it collects nothing useful and still creates a consent obligation. Orphaned tags are a common finding in scans precisely because removal is the step everyone skips.

The swap, step by step

1. Add the new vendor blocked by default

Install the replacement the same way you'd add any new tracker: held until the matching consent category is accepted, wired to Google Consent Mode if it touches Google's ecosystem. Don't let "we're just swapping tools" become an excuse to skip the consent gate. See the new tracking tool runbook.

2. Scan the new vendor's real footprint

The new tool sets different cookies and calls different domains than the old one. Cookie-light analytics like Matomo, Plausible, or Fathom set far fewer trackers than Google Analytics, sometimes none, which can change your banner's story. Scan to see the actual footprint rather than assuming it mirrors the tool you're leaving.

3. Remove the old vendor completely

Delete the old tags from your site and your tag manager. Then confirm with a scan that the old cookies and connections are actually gone. "Removed" in a task tracker and "removed" in the browser are not the same thing until you've verified it.

4. Update your disclosures both ways

Add the new vendor's cookies to your cookie policy and remove the old vendor's. Update your records of processing to drop the old recipient and add the new one. A policy that still lists your previous analytics tool is a visible sign you don't keep it current.

Old cookies linger in returning visitors' browsers

Removing a tag stops new cookies from being set. It does nothing about the cookies already sitting in the browsers of everyone who visited before the swap. Those can persist for months or years based on their original expiry. For a clean cutover, have your consent tool clear the old vendor's cookies on the next visit, and don't rely on natural expiry to tidy up. A returning visitor carrying a tracker from a tool you no longer use is still a tracker you're accountable for.

Does a vendor swap require fresh consent?

Sometimes. A new vendor is a new data recipient, and under GDPR Article 7 a material change to who processes the data can mean the consent you already collected no longer covers your processing. Two rules of thumb:

  • Like-for-like within the same category usually doesn't need a fresh prompt. Swapping one analytics tool for another analytics tool, where the visitor already consented to analytics, is generally a policy update rather than a re-consent event. Update the disclosure and the vendor list.
  • A change in kind can trigger re-consent. Moving from privacy-friendly analytics to a tool that also does behavioral advertising, or adding a vendor that shares data with new third parties, changes what the visitor agreed to. That's a material change, and it points toward re-consent. See consent expiry and re-consent.

When it's genuinely ambiguous, the safer path is to refresh consent and explain why: "We've changed our analytics provider" is a reason visitors accept easily.

Don't carry old data into a new tool without a basis

Migrating historical data from the old vendor into the new one is its own question. The original data was collected under consent for the old processing context. Importing it into a new vendor with different processing, sub-processors, or a different country of storage may need its own legal basis and disclosure. If you're porting history, check that the move is covered, don't assume the original consent travels with the data.

Vendor swap checklist

  • New vendor installed blocked by default

    Held until consent, wired to Consent Mode if it touches Google.

  • New vendor's real footprint scanned

    Different cookies and domains than the tool you're leaving.

  • Old vendor fully removed and verified

    Confirm with a scan that the old tags and cookies are gone.

  • Overlap window kept short and dated

    Set the old vendor's removal date and honor it.

  • Cookie policy and records updated both ways

    Add the new recipient, remove the old one.

  • Old cookies cleared from returning visitors

    Removal stops new cookies; clear the ones already set.

  • Re-consent considered for a change in kind

    A new category or new third parties can be a material change.

Verify the swap actually happened

The two failure points in a vendor swap are trackers that never got removed and new ones that fire before consent, and both are exactly what a scanner catches. CookieBeam scans for the old vendor's leftover cookies and connections so you can confirm the removal was real, and its drift detection flags the new tool if it starts firing before consent. Run a scan right after the cutover and again a month later, once returning visitors have cycled through, to confirm the old footprint is truly gone. See monitoring for consent violations and drift.

Switching Analytics or Marketing Vendors: Cookie Consent Guide (2026) | CookieBeam | CookieBeam