Most cookie management is automatic. The work falls into two areas: ensuring third-party cookie blocking does not break Salesforce, and setting up consent banners on Experience Cloud sites.
- Allowlist Salesforce domains in users browsers
For orgs that use Outlook Integration, Inbox, or any Salesforce-hosted iframe, IT should allowlist Salesforce domains (salesforce.com, force.com, lightning.force.com, visualforce.com, cloudforce.com) in browser cookie settings. Browsers that block third-party cookies can break these features.
- Configure My Domain for first-party cookie behavior
Setup, My Domain. Enable My Domain and use the my.salesforce.com subdomain for production. This routes cookies through a first-party domain, which is less likely to be blocked.
- Enable Cookie Consent for Experience Cloud sites
Setup, Cookie Consent. Configure the banner text, the categories of cookies (Essential, Functional, Analytics, Marketing), and the integration with your CMP if you have one. The component then ships on every Experience Cloud site page.
- Configure Marketing Cloud Account Engagement consent
In Marketing Cloud Account Engagement, enable the Cookie Consent feature and configure it to honor the user choice from the Experience Cloud banner. Pardot tracking cookies are set only after consent.
- Audit cookies on your sites
Use a cookie audit tool (OneTrust Cookie Audit, Cookiebot Scan, manual browser inspection) to enumerate every cookie set on your Experience Cloud or marketing pages. Document which are essential, which are functional, and which are marketing.
- Set up CCPA and GDPR compliance
Build the user-rights workflows (data export, data deletion) that go beyond cookie consent. These are typically Apex Flows triggered by a CookieConsent record creation or a Privacy Request record.
- Browsers blocking third-party cookies break Salesforce iframe integrations (Outlook, Gmail, Slack add-ins). Allowlist Salesforce domains to avoid silent failures.
- Marketing tracking cookies that fire before consent are a GDPR violation. Configure Pardot and MCE to honor consent before any tracking call.
- Salesforce session cookies are HttpOnly. JavaScript cannot read sid; do not write code that tries to access it.
- CookieConsent records grow rapidly on high-traffic sites. Build a retention policy or archive old consent records to keep storage costs manageable.
- Different jurisdictions have different consent requirements (EU strict consent, US opt-out, Brazil LGPD). One consent banner may not satisfy all regulations; configure per-site as needed.