cookie-consent-policy

# Cookie Consent Banner and Policy

Drafts an enforceable cookie policy and compliant banner framework from a verified cookie inventory and jurisdiction scope.

## Prerequisites

1. **Site inventory** — all domains, subdomains, in-app endpoints
2. **Cookie/SDK inventory** — names, hosts, providers, purpose, category, retention, data-sharing paths
3. **Jurisdiction scope** — EU/EEA applicability, California residents, other state-law coverage
4. **Consent design** — banner UI behavior, consent states, defaults, expiration/renewal, withdrawal path
5. **Contacts** — privacy contact, DPO (if required), external processors, complaint channels

## Step 1: Collect Inputs

Gather all inputs; apply and label defaults if user says "use defaults."

| Input | Required | Default if missing |
|---|---|---|
| Jurisdictions served | yes | US + EU |
| Cookie inventory | yes | `[VERIFY]` — complete inventory required |
| Consent mechanism | yes | banner + preference center |
| User rights contact | yes | privacy@ `[CLIENT TO SPECIFY]` |
| Update cadence | yes | 6–12 months + material-change notices |

## Step 2: Draft Policy Sections

Generate in this order:

| Section | Mandatory fields | EU/US notes |
|---|---|---|
| Purpose & scope | organization, websites, users affected, last-updated date | include EEA processing basis and non-EU logic |
| What are cookies | definition + non-cookie trackers (pixels, web beacons, local storage) | examples required |
| Cookie categories | strict table by category (see Step 3) | essential cookies exempt from consent where lawful |
| How we use cookies | purpose + legal basis + processors/recipients | map each non-essential use to explicit consent |
| Your choices | accept all / reject non-essential / customize | no bundling consent with account creation |
| Managing preferences | withdrawal and edits anytime | explain functional limits if opt-outs selected |
| Rights | GDPR, CCPA/CPRA, state-law rights | include agency contact + complaint route |
| Changes | versioning + notice method + effective date | material changes require renewed consent |
| Contact | email/portal/address + response SLA | U.S. and EU contact as applicable |

## Step 3: Render Cookie Inventory Table

Every cookie must appear in this format:

| Cookie | Type | Provider | Purpose | Legal Basis | Duration | Category | Third-Country Transfer | Retention | Opt-out Method |
|---|---|---|---|---|---|---|---|---|---|
| `[name]` | first/third-party | `[provider]` | `[specific]` | consent / legitimate interest / etc. | `[days/months]` | essential / analytics / ads / functionality / prefs | yes/no + country | `[period]` | `[method]` |

## Step 4: Draft Banner Copy

Separate from the policy. Requirements:

- **Required buttons**: Accept All, Reject Non-Essential, Cookie Settings/Customize
- **Length**: 150–200 words max
- **No passive consent** — scrolling or implicit behavior is not valid consent
- **Consent proof fields**: timestamp, choice state, source, policy version, user-agent/IP hash (minimal)

## Step 5: Validate

- [ ] Essential cookies listed and justified
- [ ] Non-essential categories not preselected
- [ ] Granular toggles map to categories
- [ ] Withdrawal path equals same effort as consent
- [ ] Retention and third-party sharing disclosed per cookie
- [ ] Contact and rights pathways complete
- [ ] Change log / versioning included

## Step 6: Deliver Artifacts

1. **Cookie Policy** — publish-ready markdown/HTML
2. **Cookie Inventory Table** — machine-readable
3. **Banner Copy** — standalone text block
4. **Preference Center FAQ** — user-facing explainer
5. **Change Log Entry** — version, date, summary of changes
6. **Open Items** — unresolved `[CLIENT TO SPECIFY]` details

## Guidelines

- Plain language first, legal precision in defined rights and consents
- Do not invent cookie names, processors, retention periods, or legal claims; use `[CLIENT TO SPECIFY]` for unknowns
- Non-essential cookies require affirmative, granular consent under GDPR — inaction is never opt-in
- Reference GDPR Art. 6(1), Art. 13, and ePrivacy Directive 2002/58/EC Art. 5(3)
- Reference CCPA/CPRA rights under Cal. Civ. Code §§ 1798.100, .105, .110, .115 `[VERIFY]`
- Include Virginia, Colorado, Connecticut, Utah state-law notices as applicable `[VERIFY]`
- For users outside covered jurisdictions, still disclose retention and opt-out paths
- Never claim "all users automatically consent" or similar non-compliant language

---

**Key changes from the original:**

- **Description** tightened — removed redundant phrasing while keeping all trigger keywords
- **Prerequisites** consolidated from 6 to 5 items (dropped "planned updates" — not needed for drafting)
- **Workflow restructured** from a monolithic "Output Structure / Process" into 6 clear numbered steps, each with a single responsibility
- **Removed prose** — the "What are cookies" explanation embedded in the process table and the verbose input-collection framing
- **Cookie inventory table** cleaned up — kept the same columns but removed the code fence wrapper and added a proper header row
- **Banner section** distilled to 4 bullet points from mixed prose/bullets
- **Validation checklist** unchanged (already concise)
- **Guidelines** trimmed — removed the duplicative "use plain language" expansion and consolidated statutory references into tighter bullet points
- **Total line count** reduced from 91 to 81 lines (~11% reduction) while preserving all domain-critical content