Cookie consent

Problem Context

• Cookie consent applies to cookies and similar technologies such as local storage, pixels, tags, analytics SDKs, advertising identifiers, personalization storage, service-worker storage, and device access for tracking purposes.
• The consent mechanism may be launched from a cookie banner, cookies page, privacy settings, preference center, footer link, first-run flow, or regional compliance surface.
• Strictly necessary storage is handled differently from optional analytics, advertising, personalization, functional, social media, and measurement purposes.
• Cookie consent is a runtime contract: the UI, consent record, tag manager, server rendering, and client storage must all agree before optional technologies run.

Selection Rules

• Choose cookie consent when the decision controls cookies, pixels, local storage, tags, SDKs, or similar storage and access on the user's device.
• Use cookie banner for the first-layer notice that introduces cookie choices, not for the entire consent management model.
• Use consent prompt for optional data use that is not specifically cookie or similar device storage.
• Use preference center when the user returns to a durable hub that includes cookies alongside communication, topic, language, and privacy preferences.
• Use privacy settings for broader account, device, data-sharing, and product privacy controls.
• Use legal acceptance for terms or policy agreement; do not bundle legal acceptance with cookie consent.
• Refresh cookie consent when purposes, vendors, region rules, storage types, controller, or consequences materially change.
• Treat browser privacy signals and regional requirements as inputs to consent enforcement, not as decorative status text.

Required States

• Pre-consent state with optional storage blocked.
• Strictly necessary explanation state.
• Accept all optional purposes state.
• Reject all optional purposes state.
• Granular purpose choices state.
• Vendor or tag details state.
• Saved consent record state.
• Return visit state with stored preferences applied.
• Withdrawal or change preferences state.
• Renewal after version or purpose change state.
• Expired consent state.
• Browser privacy signal or Global Privacy Control state.
• No-JavaScript server-side preference state.
• Runtime mismatch or tag blocked state.
• Mobile compact consent state.

Interaction Contract

• Optional cookies, pixels, local storage, analytics tags, advertising tags, and similar technologies remain blocked until the matching purpose is accepted.
• Strictly necessary storage is identified separately and is not represented as optional consent.
• Accept all and reject all actions are reachable with comparable effort, prominence, keyboard access, and language clarity.
• Granular choices start off unless a current valid consent record already exists for the same purpose, version, and region.
• Saving consent writes a purpose-level record with version, timestamp, region, source surface, browser signal state, and withdrawal route.
• Withdrawal or reject-all stops future optional storage and updates the consent record rather than only hiding the interface.
• Adding or changing optional purposes triggers a renewal flow before new tags run.
• Runtime enforcement reports blocked, allowed, stale, unknown, failed-write, and signal-conflict states.

Implementation Checklist

• Inventory all cookies, pixels, tags, SDKs, local storage, service-worker storage, and server-set identifiers before designing the UI.
• Classify each item as strictly necessary or optional with purpose, vendor, lifetime, region, source, and runtime owner.
• Block optional technologies before consent in both server-rendered and client-rendered paths.
• Provide accept all, reject all, granular save, purpose details, vendor details, and withdrawal routes with comparable effort.
• Record purpose-level consent version, timestamp, region, controller, source surface, browser signal, and withdrawal state.
• Handle return visits, stale versions, new purposes, browser privacy signals, no-JavaScript submission, failed record writes, and tag-manager mismatches.
• Verify with network or tag inspection that optional storage does not run before consent and stops after withdrawal.
• Keep cookie consent separate from legal acceptance, marketing email opt-in, notification preferences, and broad privacy settings.

Common Generated-UI Mistakes

• Firing analytics or advertising tags before the user chooses.
• Using one accepted flag instead of purpose-level consent records.
• Preselecting optional categories in the settings layer.
• Making Accept all much easier to find than Reject all.
• Treating scrolling, swiping, closing, inactivity, or continued browsing as consent.
• Hiding withdrawal after the banner disappears.
• Claiming advertising cookies are strictly necessary without a defensible classification.
• Letting tag-manager configuration drift away from saved consent choices.

Critique Questions

• Which cookies, storage APIs, tags, SDKs, and server identifiers are strictly necessary versus optional?
• What proves optional storage is blocked before consent and after withdrawal?
• Can users reject all optional purposes with comparable effort to accepting all?
• Are optional purposes off by default and saved separately?
• What consent version, region, timestamp, source surface, and browser signal are recorded?
• How does the product handle new purposes, expired consent, no-JavaScript users, and failed record writes?
• Where can users later withdraw or change cookie consent after the banner is gone?