Cookie Consent Banner & Global Privacy Control Implementation Pack
COOKIE CONSENT & GLOBAL PRIVACY CONTROL IMPLEMENTATION PACKAGE
Organization: [________________________________]
Effective Date: [__/__/____]
Document Owner: [________________________________]
Version: [____]
TABLE OF CONTENTS
- Overview and Legal Framework
- Consent Banner Copy — Multi-Variant
- Preferences Center / Second-Layer Modal
- Global Privacy Control (GPC) and Universal Opt-Out Handling
- "Do Not Sell or Share" and Opt-Out Links
- State-by-State Compliance Matrix
- Email and SMS Disclosure Language
- Recordkeeping Requirements
- Implementation Notes for Developers
- Accessibility Requirements
- Testing and QA
- Governance and Review
- Annexes
1. OVERVIEW AND LEGAL FRAMEWORK
1.1 Purpose
This package provides the policies, copy, technical requirements, and implementation guidance for cookie consent banners, preference management, and Global Privacy Control (GPC) signal recognition to comply with U.S. state privacy laws. Multiple states now require recognition of universal opt-out mechanisms (UOOMs) as valid consumer requests to opt out of the sale of personal data, sharing for cross-context behavioral advertising, and/or targeted advertising.
1.2 Legal Framework
| State | Statute | UOOM/GPC Requirement | Effective Date |
|---|---|---|---|
| California | CCPA/CPRA § 1798.135; 11 CCR § 7025 | Must treat opt-out preference signals (including GPC) as valid opt-out of sale/sharing | Jan. 1, 2023 |
| Colorado | CPA § 6-1-1306(1)(a)(IV); 4 CCR 904-3, Rule 5.11 | Must recognize universal opt-out mechanisms | July 1, 2024 |
| Texas | TDPSA § 541.055(e) | Must recognize universal opt-out mechanisms | July 1, 2024 |
| Connecticut | CTDPA § 42-518(b) | Must recognize universal opt-out mechanisms | Jan. 1, 2025 |
| Montana | MCDPA § 30-14-2805 | Must recognize universal opt-out mechanisms | Jan. 1, 2025 |
| Oregon | OCPA § 646A.576 | Must recognize universal opt-out mechanisms | Jan. 1, 2026 |
| Delaware | DPDPA § 12D-106 | Must recognize universal opt-out mechanisms | Jan. 1, 2026 |
| Additional states | [Monitor legislation] | Various effective dates | Ongoing |
1.3 Privacy Policy Statement
Insert the following (or substantially similar language) into your Privacy Policy:
We use cookies and similar tracking technologies to operate our Services, analyze traffic, personalize content, and support advertising. You can manage your preferences through our Cookie Settings tool. We honor browser-based Global Privacy Control ("GPC") signals and other universal opt-out mechanisms. When we detect a valid opt-out preference signal, we treat it as a request to opt out of the sale or sharing of personal information and targeted advertising for that browser or device. For details, see our [Cookie Notice] and [Privacy Policy].
2. CONSENT BANNER COPY — MULTI-VARIANT
2.1 First-Layer Banner (Web — Desktop/Mobile)
Headline: Your Privacy Choices
Body:
We and our partners use cookies and similar technologies to provide our services, understand how you use our site, and deliver relevant content and advertising. Choose "Accept All" to consent to all cookies, "Reject Non-Essential" to use only strictly necessary cookies, or "Manage Preferences" to customize your choices.
We honor Global Privacy Control signals and other universal opt-out mechanisms. [Learn more in our Privacy Policy].
Buttons (equal visual prominence):
| Button | Action | Style |
|---|---|---|
| Accept All | Sets all cookie categories to "consented" | Primary |
| Reject Non-Essential | Sets all non-essential categories to "rejected"; loads only strictly necessary | Secondary (equal prominence) |
| Manage Preferences | Opens second-layer preferences modal | Link/text button |
Implementation Notes:
☐ No pre-ticked boxes or pre-selected non-essential categories
☐ "Reject Non-Essential" button must have equal visual prominence to "Accept All" per CA AG and CO AG guidance
☐ Banner must not use dark patterns (manipulative design, confusing language, asymmetric choices)
☐ Banner must be dismissible; dismissal without affirmative action = no consent for non-essential cookies
2.2 First-Layer Banner (Mobile App)
Body (concise version):
We use cookies and tracking technologies. Manage your preferences or learn more in our [Privacy Policy]. We honor Global Privacy Control signals.
Buttons:
- Accept All
- Reject Non-Essential
- Manage Preferences
2.3 Returning Visitor Banner
For returning visitors who have previously set preferences:
Body: Your cookie preferences are saved. You can update them at any time. [Manage Preferences]
3. PREFERENCES CENTER / SECOND-LAYER MODAL
3.1 Cookie Categories and Defaults
| Category | Description | Default State | Configurable | Mechanism |
|---|---|---|---|---|
| Strictly Necessary | Required for core site functionality (authentication, security, load balancing). Cannot be disabled. | Always Active | ☐ No | Not configurable |
| Performance & Analytics | Helps us understand how visitors use our site and improve services. | Off (no consent) | ☐ Yes | Toggle switch |
| Functional | Enables personalization, remembers preferences, and provides enhanced features. | Off (no consent) | ☐ Yes | Toggle switch |
| Advertising & Targeting | Supports tailored advertisements and cross-site advertising. | Off (no consent) | ☐ Yes | Toggle switch |
| Social Media | Enables social sharing features and tracking by social platforms. | Off (no consent) | ☐ Yes | Toggle switch |
3.2 Additional Opt-Out Controls
| Control | Description | Default | Mechanism |
|---|---|---|---|
| Do Not Sell or Share My Personal Information | Prevents the sale or sharing of personal information for cross-context behavioral advertising (CCPA/CPRA definitions) | Off (opt-out honored when toggled on) | Dedicated toggle |
| Limit Use of My Sensitive Personal Information | Restricts processing of sensitive personal information to permitted purposes (California only, § 1798.121) | Off (limitation applied when toggled on) | Dedicated toggle |
| Opt-Out of Targeted Advertising | Opts out of targeted advertising as defined under CPA, TDPSA, CTDPA, and other state laws | Off (opt-out honored when toggled on) | Dedicated toggle |
3.3 Modal Buttons
| Button | Action |
|---|---|
| Save My Choices | Saves current selections; closes modal |
| Accept All | Consents to all categories; closes modal |
| Reject All Non-Essential | Rejects all non-essential categories; closes modal |
4. GLOBAL PRIVACY CONTROL (GPC) AND UNIVERSAL OPT-OUT HANDLING
4.1 Detection
On every page load, the application shall check for:
☐ Sec-GPC: 1 HTTP header
☐ navigator.globalPrivacyControl === true JavaScript API
☐ Other recognized universal opt-out mechanism signals as designated by applicable state regulations
4.2 Processing Logic
When a valid GPC or UOOM signal is detected:
| Step | Action | Implementation Detail |
|---|---|---|
| 4.2.1 | Treat as valid opt-out of sale/sharing of personal information (CCPA/CPRA) | Do not load advertising/targeting cookies; do not share data with ad partners |
| 4.2.2 | Treat as valid opt-out of targeted advertising (CPA, TDPSA, CTDPA, and other states requiring UOOM recognition) | Suppress cross-context behavioral advertising signals |
| 4.2.3 | Log the opt-out in consent management database | Record: timestamp, anonymized identifier (IP hash or session ID), browser agent, GPC signal value |
| 4.2.4 | Sync across subdomains and authenticated profiles | Apply opt-out to all properties within 24 hours; associate with user account if authenticated |
| 4.2.5 | Display confirmation | Show: "We detected your Global Privacy Control signal and have updated your privacy preferences accordingly." |
| 4.2.6 | Do not override GPC with consent banner interaction unless the user affirmatively opts in after receiving clear disclosure | Per 11 CCR § 7025(c)(6), a business must not interpret dismissal of a consent request as consent to override GPC |
4.3 GPC and Authenticated Users
☐ When a user with a GPC signal logs in, apply the opt-out to their authenticated profile
☐ If the authenticated profile previously consented to sale/sharing, the GPC signal takes precedence unless the user re-affirms consent with a specific, informed action (per 11 CCR § 7025)
☐ Document any conflicting consent/GPC signal scenarios
4.4 GPC and Third-Party Tags/Pixels
☐ When GPC is detected, suppress loading of all third-party tags/pixels classified as "advertising" or "targeting"
☐ Notify advertising partners via contractual obligations that GPC signals must be honored downstream
☐ Ensure server-side tracking (if any) also respects GPC signals
5. "DO NOT SELL OR SHARE" AND OPT-OUT LINKS
5.1 Required Footer Links
The following links must be persistently visible in the website footer and accessible from all pages:
| Link Text | Destination | Required By |
|---|---|---|
| "Do Not Sell or Share My Personal Information" | Preferences modal or dedicated opt-out page | CCPA/CPRA § 1798.135(a) |
| "Limit the Use of My Sensitive Personal Information" | Preferences modal (sensitive PI toggle) | CCPA/CPRA § 1798.135(a) (if sensitive PI is processed) |
| "Manage Cookies" / "Cookie Preferences" | Cookie preferences modal | Best practice / multiple state laws |
| "Your Privacy Choices" / opt-out icon (toggle graphic) | Preferences modal covering all opt-out rights | Multi-state (alternative combined link per CCPA/CPRA § 1798.135(a)(3)) |
5.2 Combined Link Option
Per CCPA/CPRA § 1798.135(a)(3), businesses may use a single, clearly labeled link titled "Your Privacy Choices" or "Your California Privacy Rights" combined with a recognizable opt-out preference icon, provided it leads to a mechanism allowing consumers to exercise all applicable opt-out rights.
5.3 Mobile App
☐ Include opt-out controls in app settings
☐ Recognize device-level tracking settings (iOS App Tracking Transparency; Android Privacy Sandbox)
☐ Provide "Do Not Sell or Share" toggle within app privacy settings
6. STATE-BY-STATE COMPLIANCE MATRIX
| Requirement | CA | CO | TX | CT | MT | OR | DE |
|---|---|---|---|---|---|---|---|
| Opt-out of sale link | Required (§ 1798.135) | Required (§ 6-1-1306) | Required (§ 541.055) | Required (§ 42-518) | Required | Required | Required |
| GPC/UOOM recognition | Required (11 CCR § 7025) | Required (4 CCR 904-3, R. 5.11) | Required (§ 541.055(e)) | Required (§ 42-518(b)) | Required | Required | Required |
| Opt-out of targeted advertising | Via "Do Not Share" | Required (§ 6-1-1306) | Required (§ 541.055) | Required (§ 42-518) | Required | Required | Required |
| Limit sensitive PI | Required (§ 1798.121) | Consent required | Consent required | Consent required | Consent required | Consent required | Consent required |
| No dark patterns | Required (§ 1798.185(a)(20)) | Required | Implied | Required | Required | Required | Required |
| Equal prominence buttons | Required (CA AG guidance) | Required (CO AG guidance) | Best practice | Best practice | Best practice | Best practice | Best practice |
7. EMAIL AND SMS DISCLOSURE LANGUAGE
Include the following in marketing communications:
You are receiving this message because you subscribed to updates from [________________________________]. We respect opt-out signals, including Global Privacy Control. To manage your privacy preferences, visit [PREFERENCES LINK]. To unsubscribe from marketing emails, click [UNSUBSCRIBE LINK] or call [________________________________].
8. RECORDKEEPING REQUIREMENTS
8.1 Consent Records
☐ Maintain consent receipts including: consent type (accept/reject/partial), timestamp, anonymized identifier, browser/device information, GPC signal status, consent version
☐ Retain records for at least [____] years or the period required by applicable law
☐ Store records in a format accessible for regulatory inquiry
8.2 Change Logs
☐ Maintain change logs for banner copy, styling, functionality, and preference options
☐ Document version history with dates of deployment
☐ Retain screenshots/recordings of each banner version
8.3 Vendor Contracts
☐ Review and document vendor/ad partner contracts for downstream GPC/opt-out signal honoring
☐ Maintain records of vendor certifications regarding opt-out compliance
9. IMPLEMENTATION NOTES FOR DEVELOPERS
9.1 Consent Management Platform (CMP)
| Requirement | Implementation |
|---|---|
| CMP Provider | [________________________________] |
| Load consent script asynchronously | Prevent render blocking |
| Block non-essential scripts by default | No tracking scripts fire before consent |
| Server-side integration | Consent state communicated to backend for server-side tracking |
| API endpoints for preference updates | Allow preference changes from account settings pages |
9.2 Cookie Categorization
☐ Audit and categorize all cookies, pixels, and tracking technologies
☐ Maintain a cookie inventory with: name, provider, category, purpose, duration, type (first-party/third-party)
☐ Update inventory quarterly or upon adding new tracking technologies
9.3 GPC Implementation
// Detect GPC signal
const gpcEnabled = navigator.globalPrivacyControl === true ||
document.cookie.includes('Sec-GPC=1');
if (gpcEnabled) {
// Suppress advertising/targeting cookies
// Record opt-out in consent database
// Display confirmation message
}
9.4 Cross-Device Synchronization
☐ Sync consent preferences across subdomains via shared cookie or server-side state
☐ When user authenticates, apply account-level preferences across devices
☐ Ensure opt-out persists after browser restart and cookie clearing (for authenticated users)
10. ACCESSIBILITY REQUIREMENTS
10.1 WCAG 2.1 AA Compliance
☐ Banner and modal must meet WCAG 2.1 Level AA standards
☐ All interactive elements keyboard navigable
☐ Screen reader compatible (proper ARIA labels and roles)
☐ Sufficient color contrast (4.5:1 minimum for text)
☐ Focus management: focus moves to modal when opened, returns when closed
☐ Banner must not obscure critical page content or navigation
☐ Toggle switches must have clear on/off state indicators
11. TESTING AND QA
11.1 Test Plan
| Test | Frequency | Owner |
|---|---|---|
| Cross-browser testing (Chrome, Firefox, Safari, Edge) | Each release | QA |
| Mobile device testing (iOS, Android) | Each release | QA |
| GPC signal detection testing | Each release | QA |
| Consent state persistence testing | Each release | QA |
| Cross-device synchronization testing | Quarterly | QA |
| Third-party tag blocking verification | Monthly | Privacy Eng |
| Accessibility audit | Quarterly | Accessibility team |
| Regression testing after CMP updates | Each update | QA |
| Screenshot capture for compliance records | Each release | QA |
12. GOVERNANCE AND REVIEW
| Field | Information |
|---|---|
| Document Owner | [________________________________] |
| Review Frequency | Quarterly; immediately upon new state law effective date |
| Approval Authority | [________________________________] |
| Next Review | [__/__/____] |
13. ANNEXES
Annex A: Sample Consent Receipt JSON Structure
{
"consent_id": "uuid-v4",
"timestamp": "ISO-8601",
"anonymized_id": "sha256-hash",
"gpc_signal": true,
"consent_version": "2.1",
"categories": {
"strictly_necessary": true,
"performance": false,
"functional": false,
"advertising": false,
"social_media": false
},
"opt_outs": {
"do_not_sell_share": true,
"limit_sensitive_pi": false,
"targeted_advertising": true
},
"user_agent": "browser-agent-string",
"jurisdiction_detected": "CA"
}
Annex B: Cookie Inventory Template
| Cookie Name | Provider | Category | Purpose | Duration | Type |
|---|---|---|---|---|---|
| [________________] | [________________] | ☐ Necessary ☐ Analytics ☐ Functional ☐ Advertising ☐ Social | [________________] | [____] | ☐ First-party ☐ Third-party |
Annex C: QA Test Checklist
☐ Banner displays on first visit (no prior consent)
☐ "Reject Non-Essential" blocks all non-essential cookies
☐ "Accept All" enables all categories
☐ "Manage Preferences" opens modal
☐ GPC signal detected and opt-out applied
☐ Confirmation message displayed for GPC
☐ Consent persists across page navigation
☐ Opt-out syncs to authenticated profile
☐ Footer links functional
☐ Accessibility: keyboard navigation, screen reader
Annex D: Accessibility Checklist (WCAG 2.1 AA)
☐ Keyboard navigable
☐ ARIA labels on all interactive elements
☐ Focus trapping in modal
☐ Color contrast ≥ 4.5:1
☐ Toggle state announced to screen readers
☐ Escape key closes modal
SOURCES AND REFERENCES
- CCPA/CPRA, Cal. Civ. Code § 1798.120, § 1798.135
- 11 CCR § 7025 (Opt-Out Preference Signals)
- Colorado Privacy Act, C.R.S. § 6-1-1306; 4 CCR 904-3, Rule 5.11
- TDPSA, Tex. Bus. & Com. Code § 541.055(e)
- CTDPA, Conn. Gen. Stat. § 42-518(b)
- Montana MCDPA, Mont. Code Ann. § 30-14-2805
- Oregon OCPA, ORS § 646A.576
- Delaware DPDPA, 6 Del. C. § 12D-106
- Global Privacy Control Specification, https://globalprivacycontrol.org
- CA AG Enforcement Advisory on Dark Patterns (Mar. 2024)
This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: April 2026
Get your Cookie Consent Banner & Global Privacy Control Implementation Pack, done and ready to use
Fill it in for your situation, adjust it for your state, and download the finished Word and PDF. Let the AI do it in about 5 minutes, or finish it yourself in the editor. Drafting this from scratch takes hours. Finish yours in about 5 minutes for $49, one time.