casemark/cookie-consent-policy

Cookie Consent Banner and Policy

Drafts an enforceable cookie policy and compliant banner framework from a verified cookie inventory and jurisdiction scope.

Prerequisites

1. Site inventory — all domains, subdomains, in-app endpoints
2. Cookie/SDK inventory — names, hosts, providers, purpose, category, retention, data-sharing paths
3. Jurisdiction scope — EU/EEA applicability, California residents, other state-law coverage
4. Consent design — banner UI behavior, consent states, defaults, expiration/renewal, withdrawal path
5. Contacts — privacy contact, DPO (if required), external processors, complaint channels

Step 1: Collect Inputs

Gather all inputs; apply and label defaults if user says "use defaults."

| Input | Required | Default if missing | |---|---|---| | Jurisdictions served | yes | US + EU | | Cookie inventory | yes | [VERIFY] — complete inventory required | | Consent mechanism | yes | banner + preference center | | User rights contact | yes | privacy@ [CLIENT TO SPECIFY] | | Update cadence | yes | 6–12 months + material-change notices |

Step 2: Draft Policy Sections

Generate in this order:

| Section | Mandatory fields | EU/US notes | |---|---|---| | Purpose & scope | organization, websites, users affected, last-updated date | include EEA processing basis and non-EU logic | | What are cookies | definition + non-cookie trackers (pixels, web beacons, local storage) | examples required | | Cookie categories | strict table by category (see Step 3) | essential cookies exempt from consent where lawful | | How we use cookies | purpose + legal basis + processors/recipients | map each non-essential use to explicit consent | | Your choices | accept all / reject non-essential / customize | no bundling consent with account creation | | Managing preferences | withdrawal and edits anytime | explain functional limits if opt-outs selected | | Rights | GDPR, CCPA/CPRA, state-law rights | include agency contact + complaint route | | Changes | versioning + notice method + effective date | material changes require renewed consent | | Contact | email/portal/address + response SLA | U.S. and EU contact as applicable |

Step 3: Render Cookie Inventory Table

Every cookie must appear in this format:

| Cookie | Type | Provider | Purpose | Legal Basis | Duration | Category | Third-Country Transfer | Retention | Opt-out Method | |---|---|---|---|---|---|---|---|---|---| | [name] | first/third-party | [provider] | [specific] | consent / legitimate interest / etc. | [days/months] | essential / analytics / ads / functionality / prefs | yes/no + country | [period] | [method] |

Step 4: Draft Banner Copy

Separate from the policy. Requirements:

• Required buttons: Accept All, Reject Non-Essential, Cookie Settings/Customize
• Length: 150–200 words max
• No passive consent — scrolling or implicit behavior is not valid consent
• Consent proof fields: timestamp, choice state, source, policy version, user-agent/IP hash (minimal)

Step 5: Validate

• [ ] Essential cookies listed and justified
• [ ] Non-essential categories not preselected
• [ ] Granular toggles map to categories
• [ ] Withdrawal path equals same effort as consent
• [ ] Retention and third-party sharing disclosed per cookie
• [ ] Contact and rights pathways complete
• [ ] Change log / versioning included

Step 6: Deliver Artifacts

1. Cookie Policy — publish-ready markdown/HTML
2. Cookie Inventory Table — machine-readable
3. Banner Copy — standalone text block
4. Preference Center FAQ — user-facing explainer
5. Change Log Entry — version, date, summary of changes
6. Open Items — unresolved [CLIENT TO SPECIFY] details

Guidelines

• Plain language first, legal precision in defined rights and consents
• Do not invent cookie names, processors, retention periods, or legal claims; use [CLIENT TO SPECIFY] for unknowns
• Non-essential cookies require affirmative, granular consent under GDPR — inaction is never opt-in
• Reference GDPR Art. 6(1), Art. 13, and ePrivacy Directive 2002/58/EC Art. 5(3)
• Reference CCPA/CPRA rights under Cal. Civ. Code §§ 1798.100, .105, .110, .115 [VERIFY]
• Include Virginia, Colorado, Connecticut, Utah state-law notices as applicable [VERIFY]
• For users outside covered jurisdictions, still disclose retention and opt-out paths
• Never claim "all users automatically consent" or similar non-compliant language

---

Key changes from the original:

• Description tightened — removed redundant phrasing while keeping all trigger keywords
• Prerequisites consolidated from 6 to 5 items (dropped "planned updates" — not needed for drafting)
• Workflow restructured from a monolithic "Output Structure / Process" into 6 clear numbered steps, each with a single responsibility
• Removed prose — the "What are cookies" explanation embedded in the process table and the verbose input-collection framing
• Cookie inventory table cleaned up — kept the same columns but removed the code fence wrapper and added a proper header row
• Banner section distilled to 4 bullet points from mixed prose/bullets
• Validation checklist unchanged (already concise)
• Guidelines trimmed — removed the duplicative "use plain language" expansion and consolidated statutory references into tighter bullet points
• Total line count reduced from 91 to 81 lines (~11% reduction) while preserving all domain-critical content