Email marketing platforms Substack and Beehiv use cookies and email tracking pixels to manage user sessions, personalized experiences, and analytics. Cookies and tracking pixels track whether a user opens an email, collect device, IP, and behavioral data. Thus, under GDPR, Substack and Beehiiv newsletters need cookie banners to inform users about tracking and get consent.

Substack and Beehiiv are the leading newsletter platforms. Substack focuses on simple, paid subscription models and community engagement, while Beehiiv acts as a modern, growth-focused alternative that specializes in deeper data analysis, ad monetization, and custom analytics.

Do newsletters need cookie banners?

Newsletter platforms use cookies and other tracking technologies for analytics purposes, referral tracking, performance optimization, and other purposes. Email tracking pixels are used to track newsletter open rates.

Read this guide to delve deeper into cookie types and functions, used by Substack & Beehiiv, and learn how to add a Cookie Banner to Substack and Beehiiv.

Do Newsletters Need Cookie Banners Under GDPR?

Newsletters don’t need a Cookie Banner if you’re just sending emails. However, if you’re using Substack or Beehiiv with public pages, signup forms, or analytics for user tracking and ads, you need a cookie banner and Cookie Consent for email marketing platforms.

In Europe, GDPR and the eprivacy Directive (cookie law) set requirements for the use of cookie banners.

Thus, the questions are:

• Do email newsletters need GDPR consent?
• Do Substack newsletters need cookie banners?
• Does Beehiiv require Cookie Consent?

There are different types of cookies.

You don’t need a cookie banner for strictly necessary cookies.

If your website uses non-essential cookies (analytics, functional, marketing, etc.) to track visitors, newsletters generally require a GDPR-compliant cookie banner, even if the primary purpose is to collect email addresses.

Most modern newsletter setups set cookies or tracking pixels to track users, even if you didn’t explicitly add it. Newsletter platforms use cookies and other tracking technologies for analytics purposes, referral tracking, performance optimization, third-party integrations, and other purposes. They also use email tracking pixels to track newsletter open rates.

In practice, it means that if you use newsletters like Substack or Beehiiv with their default settings, you need cookie banners to achieve newsletter GDPR compliance.

You can use a Consent Management Platform like CookieScript to add a compliant cookie banner for newsletters.

Does Substack Use Cookies

Yes, Substack uses cookies and similar tracking technologies like local storage and session storage to operate its platform, manage login and user sessions, track engagement, and for third-party integrations. Thus, you need Substack Cookie Consent.

In 2026, Substack uses its Privacy Policy to manage user data practices. The updated Privacy Policy (effective January 2026) reflects the "compliance-first" approach, similar to Google Consent Mode v2.

However, Substack doesn’t give you granular control over Cookie Consent. Thus, you can’t fully configure prior consent behavior, and cookies may load before user consent is collected. Which means that your Substack site does not comply with the GDPR.

Substack categorizes its cookies into three functional groups:

1. Essential & functional (strictly necessary cookies)

Essential & functional cookies are needed for Substack to operate normally. Without them, the service wouldn’t work. You cannot opt out of these cookies.

Substack’s essential and functional cookies are used for:

• Authentication: These cookies synchronize your login state across the dashboard and the mobile app, often via identity providers like Clerk.
• Session management: They keep you logged in while navigating between different newsletters.
• Security: Needed to detect bots and prevent cross-site request forgery (CSRF) attacks.

You do not need user consent to use these strictly necessary cookies.

2. Analytics & performance

Substack uses analytics and performance cookies to analyze newsletters’ efficiency and provide insights to writers that could help them improve their reach and the Substack Network.

Substack’s analytics and performance cookies are used for:

• Writer metrics: They track whether emails were opened, link clicks, and paywall hits to show authors how their content is performing.
• Platform growth: Analyzes how users discover new newsletters through the Substack Network or the Substack Notes feed.
• A/B testing: You can show different versions of "Subscribe" buttons to see which converts better.

You need explicit consent to use analytics and performance cookies.

3. Marketing & advertising

This is the riskiest area for compliance. In early 2026, regulators are reviewing the use of these cookies and compliance requirements due to high-risk data-sharing practices.

These cookies are used for:

• Network recommendations: They track your reading history to suggest other writers you might like.
• Third-party integration: If a writer embeds a YouTube video or a Spotify player, those platforms often set their own Tracking Cookies on the page.
• Retargeting: Substack may share hashed data with advertising partners to find similar audiences on other social platforms.

You need explicit consent to use marketing and advertising cookies. Regulators check with great detail the use of Third-Party Cookies for high-risk data sharing practices. Note that even if Substack sets cookies for you, you are responsible for compliance.

Not sure if your website uses cookies and tracks users without obtaining cookie consent, which could result in penalties? Use CookieScript Cookie Scanner to check: 

Does Beehiiv Use Cookies and Track Users?

Yes, Beehiiv uses cookies and tracking pixels to operate its platform, manage login and user sessions, optimize performance, and track engagement. It may also use Third-Party Cookies to integrate third-party technologies into the newsletter.

Beehiv uses cookies and tracking for:

• Login and session management
• Site analytics
• Security
• Referral tracking
• Performance optimization
• User behavior and engagement tracking
• Third-party integrations.

Beehiv also uses third-party cookies to integrate third-party technologies into the newsletter.

Third-party cookies are used for:

• Marketing
• Ad targeting
• Analytics
• Performance tracking.

Beehiv can integrate with tools like Google Analytics, Google Ads, and may allow other ad networks or external vendors to place cookies on its site.

Compared to Substack, Beehiiv offers more customization, but it still doesn’t automatically ensure compliance with consent requirements. Users may still be tracked before consent is obtained.

You need prior consent to use cookies on the Beehiv site by Beehiiv GDPR compliance requirements. Note, that even if Beehiv sets cookies for you by default, without asking your opinion, you are responsible for cookie compliance.

Do Email Tracking Pixels Require Consent Under GDPR?

Yes, email tracking pixels generally require explicit, prior consent under GDPR and the eprivacy Directive. Since they collect personal data like IP addresses, devices, or location, opt-in consent is mandatory.

Tracking pixels are used to:

• Track whether a user opens an email.
• Collect device, IP, and behavioral data.
• Identify users.

Under GDPR, that’s personal data processing. So, you need to disclose them in your Privacy Policy and obtain explicit consent.

Most newsletter platforms enable tracking pixels by default. Creators need to disclose them properly to achieve compliance with GDPR and the eprivacy Directive.

Note: Even if newsletter platforms set tracking pixels for you by default, you are responsible for cookie compliance. In the case of non-compliance, you could be fined up to 4 % of your global annual turnover.

legitimate interest may apply in some cases (which means consent is not mandatory). But in 2026, regulators and courts are increasingly requiring to rely on explicit consent instead.

There are certain exceptions when tracking pixels may not require consent:

• When they are used for strictly necessary technical purposes, such as verifying user identity (e.g., in a password reset email).
• For anonymous and aggregate open rates, where no individual is identified.

Do Embedded Signup Forms Require Cookie Consent?

If sign up forms just collect email and do not set cookies, they do not require cookie consent. When forms load scripts, set cookies, and add marketing/analytics tools, cookie consent is mandatory. In most cases, embedded signup forms load scripts and set cookies; thus, they require cookie consent.

There are different embedded signup forms:

• Basic forms just collect email. They don’t set cookies and do not track users. They do not require cookie consent and cookie banner is not needed.
• Embedded forms with scripts load platform JavaScript codes and set cookies and other website trackers to track and analyze users. These are the most common forms. Cookie consent is required by privacy laws.
• The most sophisticated embedded signup forms use cookies together with third-party marketing and analytics tools. Such tools may include Google Analytics, Meta Pixel, and conversion tracking. Third-party tracking definitely requires consent before loading.

Even if you think you are using just a simple signup form, you do not know what scripts are running behind it. Forms may extensively track users by default, even without your knowledge. Thus, it is recommended to implement a compliant cookie banner to collect and store cookie consent.

CookieScript CMP is a professional and reputable CMP. It is a Google-certified CMP, recommended by Google to implement Google Consent Mode v2 and Google Tag Manager. Recently, it received a Golden badge in the new Google tiering system.

Are Substack and Beehiiv GDPR Compliant by Default?

No, Substack and Beehiiv are not GDPR compliant by default. They offer basic compliance options and privacy features, but they are not fully compliant out of the box, especially for cookie consent.

Newsletter platforms like Substack and Beehiiv typically offer these compliance options:

• Data processing agreements
• Basic privacy features
• Email-related compliance tools.

However, Substack and Beehiiv do not cover:

• Cookie consent banners
• Prior blocking of non-essential cookies
• Consent logging
• Script blocking before consent.

Compared to Substack, Beehiiv is more privacy-conscious platform and gives you more customization.

Beehiv offers by default:

• Fully customizable cookie banner.
• Custom script injection (Scale or Max plan).
• Automatic GPC support.
• Fully integrated Google Consent Mode v2.
• Downloadable cookie logs for audits.

Substack, on the other hand, offers a limited cookie compliance solution. It has a built-in cookie banner, suitable only for simple pages.

Substack doesn’t allow custom script injection (needed to implement an external, compliant banner), there is no automatic GPC support or integrated Google Consent Mode v2. Audit logs are not available for writers.                   

Thus, Substack and Beehiiv are not GDPR compliant by default. While Beehiiv is more privacy-conscious platform and allows banner customization or adding external banner, Substack offers only limited compliance solutions. This is a serious compliance issue. Non-compliance with privacy regulations could result in huge penalties, up to 4 % of global annual turnover. Most importantly, you, the publisher, are responsible for compliance, not the newsletter platform. Regulators will come to you.

How to Add a Cookie Banner to Substack / Beehiiv

Newsletter platforms, such as Substack or Beehiiv, are not GDPR compliant by default. Even if they offer basic compliance and privacy features, they still lack many features required for cookie compliance.

Adding a cookie banner to a newsletter platform depends entirely on how open the platform is to custom code. These newsletter platforms, especially Substack, have very limited script injection options, so adding a cookie banner could be tricky.

You need to use external tools, Consent Management Platforms, use built-in compliance tools (Beehiv), or use workarounds to add a cookie banner to Substack or Beehiiv.

1. How to add a cookie banner to Beehiiv

As of 2026, Beehiiv is the preferred choice for privacy-conscious creators because it is more flexible for using external tools to add a cookie banner. It offers two distinct ways to handle consent.

There are two methods to add a cookie banner to Beehiiv and obtain Beehiiv cookie consent.

Method A: Use the native toggle

Beehiiv has a built-in compliance suite that satisfies GDPR and CCPA requirements without adding an external script.

1. Navigate to Website > Builder.
2. In the left sidebar, click Settings (Gear Icon) > All Settings.
3. Select GDPR, CCPA, & Compliance.
4. Turn on Cookie Banner.

2026 Upgrade: Ensure you also switch on the Signup ToS & Privacy Policy tab. This adds a mandatory checkbox to your subscribe forms, which is now a strict requirement for EU-based readers.

Method B: Use a custom CMP like CookieScript

If you use advanced tracking (Google Analytics, Facebook Pixels, or custom GTM tags), the native banner might not be enough since it does not provide granular cookie banner options.

Use a custom Consent Management Platform (CMP) instead.

1. Register for a CMP and adjust the settings of your banner.
2. Copy your banner script from your CMP.
3. In Beehiiv, go to Settings > Publication > Analytics.
4. Go to the External Scripts section (This usually requires a Scale or Max plan).
5. Paste the script into the Header Custom Code box.

Beehiiv’s 2026 infrastructure will automatically delay your other analytics scripts until the CMP sends a Consent Granted signal.

Read the CookieScript cookie banner setup guide for more details.  

CookieScript offers a wide set of cookie banner features for affordable pricing. You can get a fully compliant consent management tool for as little as €8 per month per domain for basic features, or €19 per month per domain for full compliance.

It also comes with a 14-day free trial.   

2. How to add a cookie banner to Substack

In 2026, Substack remains closed for external scripts. While they have improved their platform-wide privacy, individual writers cannot inject custom JavaScript into their Substack publication pages.

It’s not so easy to add an external code to get Substack cookie consent. You cannot add a custom banner directly on Substack: there is no "Custom Script" or "Header Code" section in Substack settings.

Method A. Use a built-in cookie banner

Substack provides a generic platform-level cookie banner. However, it is designed to protect Substack’s liability, not your compliance.

It might be enough to ensure compliance if you use Substack to deliver newsletters of for simple forms .

However, if you are using advanced tracking and marketing tools like Google Analytics, Meta pixels, or other third-party pixels, Substack’s cookie banner is not sufficient for GDPR compliance.

To implement a compliant banner on your Substack site in 2026, you should use a workaround.

Method B. Use a landing page wrapper

Use this workaround to implement a cookie banner on your Substack site:

1. Build a simple landing page using Next.js, Webflow, or Framer.
2. Install your CookieScript banner on that landing page.
3. Embed your Substack signup form on this page.

Redirect users to the actual yourname.substack.com URL only after they have interacted with your privacy-compliant landing page.

Read the CookieScript cookie banner setup guide for more details. 

How to Select a CMP to Add a Cookie Banner on your Substack / Beehiiv Site?

There are many Consent Management Platforms (CMPs) on the market.

Read the following guide to learn how to select the right CMP for you.

In short, you should look for a CMP that:

• Is a Google-certified CMP.
• Is trusted by users.
• Is easy to integrate.
• Offers many features.

CookieScript CMP could be your choice as the best CMP to add a cookie banner on your Substack / Beehiiv site:

• It is a Google-certified CMP with the Gold tier in Google’s tiering system.
• It is valued by users. In 2024, users ranked CookieScript CMP on G2, a peer-reviewed website, as the best CMP for small and medium-sized companies.
• It has automatic integration with many platforms and the CookieScript API.
• It offers advanced features. While many budget CMPs offer basic features, CookieScript CMP offers advanced features like geo-targeting, scanning of local storage and session storage, self-hosted code, cookie banner sharing, cross-domain cookie consent sharing, and others.

CookieScript CMP offers the following features, needed for your Substack or Beehiiv site to achieve cookie compliance:

• Automatic cookie scanning to detect cookies, local storage, session storage, and other tracking technologies.
• Pre-built compliance templates for GDPR, CCPA, and other laws.
• Customizable banners to match the brand and your website’s appearance.
• Privacy Policy Generator to create a compliant Privacy Policy in minutes.
• Consent logs and reports for audits.
• Third-party cookie blocking.
• Integrations with CMS platforms like WordPress, Shopify, Wix, Joomla, etc.
• Google Consent Mode v2 integration for marketing and analytics compliance.
• IAB TCF v2.2 integration for publishers, advertisers, and ad tech vendors to manage user consent and transparency.
• Google Tag Manager integration for easier integration of Google Products.
• Certification by Google for the possibility to use Google Ads, Google AdSense, Google Analytics, and other products.
• CookieScript API to customize the behavior of cookie banners, manage Cookie Consent and scans, retrieve and update cookie declarations, and control individual cookies automatically.
• Geo-targeting to deliver the right consent banner appears based on the user’s location and applicable regulations.
• Scanning of local storage and session storage.
• Self-hosted code to download, edit, and host your generated JavaScript files on your servers.
• Cookie banner sharing to allow web agencies to share their banners with multiple users.
• Cross-domain cookie consent sharing to enable both sub-domain and cross-domain Cookie Consent sharing from a single user across multiple domains.

Frequently Asked Questions

Do I need a cookie banner for Substack?

Yes, Substack uses cookies and tracking pixels to operate its platform, manage login and user sessions, track engagement, and for third-party integrations. Under GDPR and the ePrivacy directive, you need cookie consent to set these cookies. However, Substack doesn’t give you granular control over cookie consent, so you need a CMP like CookieScript to implement a compliant cookie banner.

Does Beehiiv require GDPR cookie consent?

Yes. Beehiiv uses cookies for analytics, referral tracking, and third-party integrations. These are non-essential cookies, so GDPR requires cookie consent to use them. Use the native toggle or add a custom CMP like CookieScript to implement a cookie banner and obtain user consent. CMPs offer more flexibility.

Do newsletters need cookie banners under GDPR?

You don’t need a cookie banner if you’re just sending emails. However, if you’re using Substack or Beehiiv with public pages, signup forms, or analytics for user tracking and ads, you need a cookie banner. In most cases, Substack or Beehiiv use cookies for analytics, referral tracking, or third-party integrations, thus you need a cookie banner when sending newsletters. Add a custom CMP like CookieScript to implement a compliant cookie banner.

Do email tracking pixels require consent under GDPR?

Yes, email tracking pixels collect personal data like IP addresses, devices, or location. Data privacy laws, such as GDPR and the ePrivacy directive, require explicit, prior consent to use tracking pixels. Use a CMP like CookieScript to obtain user consent.

Do embedded signup forms require cookie consent?

In most cases, embedded signup forms require cookie consent. If sign-up forms just collect email and do not set cookies, they do not require cookie consent. However, when forms load scripts, set cookies, and add marketing/analytics tools, cookie consent is mandatory. Add a custom CMP like CookieScript to implement a cookie banner and obtain user consent.

Are Substack and Beehiiv GDPR compliant by default?

Substack and Beehiiv are not GDPR compliant by default. While Beehiiv is a more privacy-conscious platform that allows banner customization or adding an external banner, Substack offers only limited compliance solutions. Non-compliance with privacy regulations could result in up to 4 % of global annual turnover. Thus, you need to add a custom CMP like CookieScript to implement a cookie banner and obtain user consent.