Tracking Consent
Learn how Neon handles cookie consent, how consent affects analytics, and how to pass consent into embedded checkout.
Cookie consent helps Neon comply with privacy laws such as GDPR, CCPA, and similar regional requirements. The consent state is honored by both Neon Storefront and Embedded Checkout, so the user sees consistent behavior whether they're on Neon's hosted pages or inside an iframe on your site.
If your site already has its own cookie banner, you don't have to remove or replace it — Neon gives you a hook to forward your banner's decision into Embedded Checkout so users only see one prompt.
How consent works at a high level
Neon uses a location-aware consent model with three modes.
| Consent mode | Default tracking state | What the user sees |
|---|---|---|
| Explicit opt-in | Off until the user accepts | A consent prompt is required before non-essential tracking |
| Opt-out allowed | On by default | A Privacy Choices control lets the user opt out |
| No consent UI required | On by default | No consent UI |
At runtime, Neon determines which mode applies from the user's detected location. You do not need to manage these regional rules yourself.
The user's choice is stored in a neon_cookie_consent cookie on the Neon origin (Storefront and/or Checkout), so the same decision carries forward as the user moves through Neon's flow.
Storefront
If you use Neon Storefront, the consent UI is shown automatically when the user's region requires it. When the user continues from Storefront to Checkout, Neon forwards the consent decision so Checkout honors the same choice — you don't need to do anything to bridge the two.
Checkout
- If the user enters Checkout from Storefront, Checkout uses the consent value passed forward from Storefront.
- If the user enters Checkout directly, Neon determines the consent mode from the user's region.
- For non-embedded (hosted) Checkout, Neon shows its own consent UI when required.
- For Embedded Checkout, Neon is designed to avoid competing with your site's existing banner — see below.
Embedded Checkout
If you embed Checkout in an iframe on your site and your site already has its own cookie banner, you can forward your banner's decision into Embedded Checkout.
Pass consent when Checkout loads
When you already know the user's choice before the iframe loads, pass trackingConsent during Embedded Checkout initialization.
const checkout = neon.startEmbeddedCheckout({
checkoutId: "...",
checkoutToken: "...",
// ...other options
// "consented" | "declined" | "not_set" — defaults to "not_set" when omitted
trackingConsent: "consented",
});Set trackingConsent to:
consentedif the user has already accepted tracking on your sitedeclinedif the user has already declined tracking on your sitenot_setif the user hasn't made a choice yet (or omit it —not_setis the default)
If you pass consented or declined, Embedded Checkout honors that immediately and does not show its own consent UI.
Update consent after Checkout loads
If the user changes their choice later from your site's privacy controls, call setTrackingConsent(...) on your checkout instance.
// "consented" | "declined"
checkout.setTrackingConsent("consented");Call this when the user:
- accepts tracking after initially declining
- declines tracking after initially accepting
- updates their choice from your site's privacy controls
Embedded Checkout applies the new consent value in real time. You do not need to reload the iframe.
Calls made before the iframe finishes loading are buffered and applied on load — you don't need to wait for the ready event before calling setTrackingConsent.
The neon_cookie_consent cookie is set on the Neon checkout origin, not your site's origin, so you won't be able to read it from your own JavaScript. Your source of truth for the user's choice should always be your own banner's state, which you forward to Neon via trackingConsent and setTrackingConsent.
Fallback behavior when you do not pass consent
If you do not pass consent into Embedded Checkout, Neon falls back to region-based defaults.
| Scenario | Embedded Checkout behavior |
|---|---|
| Explicit opt-in region | Tracking stays off by default. No consent prompt is auto-shown inside the iframe. |
| Opt-out region | Tracking starts by default. The user can opt out via Privacy Choices in the iframe. |
| No consent UI required | Tracking starts by default. No consent UI is shown. |
This fallback is intentional — Neon prioritizes a seamless Checkout flow over showing a second prompt inside your iframe.
If your site already collects consent, pass that decision into Embedded Checkout so the iframe's tracking state mirrors your banner. If you don't have your own banner, the region-based fallback already handles compliance — no integration is required.
What consent does not affect
Cookie consent only gates Neon's own analytics tracking inside Storefront and Checkout. It does not affect:
- Purchases — payment processing and order records work for all users regardless of consent.
- Fraud detection — strictly necessary signals continue to work.
- Your own site's cookies and analytics — those are entirely under your control.
If a user declines tracking, the visible difference is that Neon does not initialize analytics or write tracking cookies inside Neon Storefront and Checkout. Your purchase data, webhooks, and fulfillment flow are unchanged.