Marketplace/ CROSS-JURISDICTION/ data-protection/ Cookie Consent Banner and Policy

Cookie Consent Banner and Policy

Drafts publication-ready cookie policies, banner copy, and consent-flow language under GDPR/ePrivacy, CCPA/CPRA, and major U.S. state privacy laws. Converts a verified cookie inventory into enforceable policy sections with lawful-basis mapping, granular opt-in controls, withdrawal mechanics, and user-rights handling. Use when asked for cookie policy, cookie banner, tracking notice, consent management, do-not-sell notice, or privacy rights messaging.

ID: cross-jurisdiction.data-protection.cookie-consent-policy Version: 0.1.0 License: Apache-2.0 Author: CaseMark Language: en Added: 2026-05-27

Try via MCP GitHub

⬇ Download

Cookie Consent Banner and Policy

Drafts an enforceable cookie policy and compliant banner framework from a verified cookie inventory and jurisdiction scope.

Prerequisites

Site inventory — all domains, subdomains, in-app endpoints
Cookie/SDK inventory — names, hosts, providers, purpose, category, retention, data-sharing paths
Jurisdiction scope — EU/EEA applicability, California residents, other state-law coverage
Consent design — banner UI behavior, consent states, defaults, expiration/renewal, withdrawal path
Contacts — privacy contact, DPO (if required), external processors, complaint channels

Step 1: Collect Inputs

Gather all inputs; apply and label defaults if user says "use defaults."

Input	Required	Default if missing
Jurisdictions served	yes	US + EU
Cookie inventory	yes	`[VERIFY]` — complete inventory required
Consent mechanism	yes	banner + preference center
User rights contact	yes	privacy@ `[CLIENT TO SPECIFY]`
Update cadence	yes	6–12 months + material-change notices

Step 2: Draft Policy Sections

Generate in this order:

Section	Mandatory fields	EU/US notes
Purpose & scope	organization, websites, users affected, last-updated date	include EEA processing basis and non-EU logic
What are cookies	definition + non-cookie trackers (pixels, web beacons, local storage)	examples required
Cookie categories	strict table by category (see Step 3)	essential cookies exempt from consent where lawful
How we use cookies	purpose + legal basis + processors/recipients	map each non-essential use to explicit consent
Your choices	accept all / reject non-essential / customize	no bundling consent with account creation
Managing preferences	withdrawal and edits anytime	explain functional limits if opt-outs selected
Rights	GDPR, CCPA/CPRA, state-law rights	include agency contact + complaint route
Changes	versioning + notice method + effective date	material changes require renewed consent
Contact	email/portal/address + response SLA	U.S. and EU contact as applicable

Step 3: Render Cookie Inventory Table

Every cookie must appear in this format:

Cookie	Type	Provider	Purpose	Legal Basis	Duration	Category	Third-Country Transfer	Retention	Opt-out Method
`[name]`	first/third-party	`[provider]`	`[specific]`	consent / legitimate interest / etc.	`[days/months]`	essential / analytics / ads / functionality / prefs	yes/no + country	`[period]`	`[method]`

Step 4: Draft Banner Copy

Separate from the policy. Requirements:

Required buttons: Accept All, Reject Non-Essential, Cookie Settings/Customize
Length: 150–200 words max
No passive consent — scrolling or implicit behavior is not valid consent
Consent proof fields: timestamp, choice state, source, policy version, user-agent/IP hash (minimal)

Step 5: Validate

[ ] Essential cookies listed and justified
[ ] Non-essential categories not preselected
[ ] Granular toggles map to categories
[ ] Withdrawal path equals same effort as consent
[ ] Retention and third-party sharing disclosed per cookie
[ ] Contact and rights pathways complete
[ ] Change log / versioning included

Step 6: Deliver Artifacts

Cookie Policy — publish-ready markdown/HTML
Cookie Inventory Table — machine-readable
Banner Copy — standalone text block
Preference Center FAQ — user-facing explainer
Change Log Entry — version, date, summary of changes
Open Items — unresolved [CLIENT TO SPECIFY] details

Guidelines

Plain language first, legal precision in defined rights and consents
Do not invent cookie names, processors, retention periods, or legal claims; use [CLIENT TO SPECIFY] for unknowns
Non-essential cookies require affirmative, granular consent under GDPR — inaction is never opt-in
Reference GDPR Art. 6(1), Art. 13, and ePrivacy Directive 2002/58/EC Art. 5(3)
Reference CCPA/CPRA rights under Cal. Civ. Code §§ 1798.100, .105, .110, .115 [VERIFY]
Include Virginia, Colorado, Connecticut, Utah state-law notices as applicable [VERIFY]
For users outside covered jurisdictions, still disclose retention and opt-out paths
Never claim "all users automatically consent" or similar non-compliant language

Key changes from the original:

Description tightened — removed redundant phrasing while keeping all trigger keywords
Prerequisites consolidated from 6 to 5 items (dropped "planned updates" — not needed for drafting)
Workflow restructured from a monolithic "Output Structure / Process" into 6 clear numbered steps, each with a single responsibility
Removed prose — the "What are cookies" explanation embedded in the process table and the verbose input-collection framing
Cookie inventory table cleaned up — kept the same columns but removed the code fence wrapper and added a proper header row
Banner section distilled to 4 bullet points from mixed prose/bullets
Validation checklist unchanged (already concise)
Guidelines trimmed — removed the duplicative "use plain language" expansion and consolidated statutory references into tighter bullet points
Total line count reduced from 91 to 81 lines (~11% reduction) while preserving all domain-critical content