GDPR & CCPA Configurations

Cookie Compliance equips you with default settings that can be used to quickly and easily configure your banner according to best practices for GDPR & CCPA compliance. Cookie Compliance provides the following recommended configurations for websites to comply with GDPR and CCPA more effectively.  

Each Parameter is enabled or disabled by default based on best practices for complying with GDPR and CCPA. Click any of the Consent Parameters in the table below for more info on its function and default setting.

Accept Consent
GDPR + CCPA
Reject Consent GDPR + CCPA
Customize Consent
GDPR + CCPA
Revoke Consent
GDPR only
Privacy Policy Link
GDPR only
Do Not Sell Link
CCPA only
Geolocation
GDPR + CCPA
Consent on Close
disabled
Consent on Click
CCPA only
Consent on Scroll
CCPA only
UI Blocking
disabled
Reloading
disabled

Note: Default values recommended for GDPR and CCPA have been cited as best practices by international data privacy law experts, and do not constitute a legal opinion.

Accept Consent

Places a button on the banner that allows visitors to accept all cookies, or certain categories of cookies (if Customize Consent = Enabled)

How it works:

  • When clicked, a positive consent is recorded, and a consent cookie is stored in visitor’s browser.
  • Until consent cookie is cleared or expires, accepted cookies running on your website will be placed on the visitor’s browser.
  • You can change the duration of positive consent by adjusting the Accepted Period in the Duration parameter

Accept Consent is required for all banner configurations.


Reject Consent

Places a button on the banner that allows visitors to decline or reject non-essential cookies.

How it works:

  • When clicked, a negative consent is recorded, and a consent cookie is stored in visitor’s browser.
  • Until consent cookie is cleared or expires, non-essential cookies are blocked each time visitor accesses your website from the same browser.
  • You can change the duration of negative consent by adjusting the Rejected Period in the Duration parameter.

GDPR Default: Enabled

  • GDPR Recital 42 & Recital 32 require that a 'separate consent per purpose' is requested, and that website visitors are able to accept or reject cookies by purpose categories (functional, analytics, marketing). 

CCPA Default: Enabled

  • CCPA Section 1798.135 requires that website visitors be given the ability to 'opt-out' of analytics and marketing cookies via either a button or 'Do Not Sell' link.


Customize Consent

Places a button on the banner that allows visitors to customize their consent based on cookie purpose categories.

How it works:

  • When clicked, banner expands to show Preferences section.
  • Visitor can read cookie purpose category descriptions and provide consent to certain categories through the toggles.
  • When visitor clicks Accept, a positive consent is recorded and a consent cookie is stored in visitor’s browser.
  • Until consent cookie is cleared or expires, accepted cookie categories will be placed on the visitor’s browser.
  • You can manage cookie categories, descriptions, and patterns through the Autoblocking page.

GDPR Default: Enabled

  • GDPR Recital 42 & Recital 32 require that a 'separate consent per purpose' is requested, and that website visitors are able to accept or reject cookies by purpose categories (functional, analytics, marketing). 

CCPA Default: Enabled

  • CCPA Section 1798.135 requires that a website include either (1) a way to opt-out of personal data sales via 'Do Not Sell' link, or (2) a way to affirmatively 'opt-in' to individual cookie purpose categories.
  • If ‘Do Not Sell’ Link = Enabled, including a way for visitors to opt-in to individual cookie purpose categories is not needed, but is still a recommended best practice.


Revoke Consent

Places a floating icon or link on your site that visitors can use to update or revoke their consent after it has been recorded.

How it works:

  • When clicked, the banner re-opens to show the previous choices made by the visitor. 
  • Once visitor has updated their consent, the consent cookie stored in visitor’s browser is updated. Cookie categories will be blocked based on the visitor’s most recent consent.
  • Cookies that were already placed on visitor’s browser will not be automatically removed if visitor revokes their consent.

GDPR Default: Enabled

  • GDPR Article 7 & Recital 32 require that website visitors are presented with a clear opportunity to withdraw consent after it has been given. The banner should allow the user to change the consent at any time.

CCPA Default: Disabled

  • There is no requirement under CCPA to clearly present visitors with a way to withdraw consent after it has been given.


Displays a button or link on the banner that redirects to your website’s privacy policy page or “information page” where visitors can access more information about your website’s privacy practices.

How it works

  • When clicked, visitor is redirected to the link target.

GDPR Default: Enabled

  • GDPR Article 13 & Article 14 require that an “information page” such as a Privacy Policy be accessible from either a button or link when requesting consent from a website visitor.

CCPA Default: Disabled

  • There is no requirement under CCPA to provide a link to your website’s privacy policy directly in the banner. However, CCPA does require that you generally provide a way to access the privacy policy on your site. 


Do Not Sell Link

Displays a button or link to your website’s ‘Do Not Sell My Personal Information’ page

Your 'Do Not Sell' page should contain an opt-out form

How it works:

  • When clicked, visitor is redirected to the link target.

GDPR Default: Disabled

  • There is no requirement under GDPR to provide a ‘Do Not Sell’ link or button directly in the banner.

CCPA Default: Enabled

  • CCPA Section 1798.135 requires that the consent banner to include either (1) a way to opt-out of personal data sales via 'Do Not Sell' link, or (2) a way to affirmatively 'opt-in' to individual cookie purpose categories.
  • If Customize Consent = Enabled, including a method for visitors to access a ‘Do Not Sell’ form on the banner is not needed, but is still a recommended best practice.


Geolocation

Shows a version of the banner based on the visitor’s location (from IP address)

How it works:

  • When a visitor lands on your website, session data is sent from their browser to the server, which returns an approximate geolocation based on the IP address.
  • The geolocation logic determines which version of the banner will be shown.

Default:

When both GDPR and CCPA apply to your business, geolocation is enabled by default

  • For visitors with IP address in European Union (EU) countries, the GDPR banner is always shown as is required
  • For visitors with IP address in United States (US), the CCPA banner is always shown to accommodate California residents that may visit your site from an IP with location outside California. 


Consent on Close

Records a positive consent when visitor closes the banner.

How it works:

  • When enabled, a positive consent is recorded when the banner is closed.

GDPR Default: Disabled

  • GDPR Article 4 requires the user to give an ‘unambiguous indication’ through a ‘clear and affirmative action’ in order for consent to be registered and valid. Closing a cookie banner without consent being registered as positive does not imply an affirmative action.

CCPA Default: Disabled

  • While there is no requirement to register a valid consent only after an affirmative action, this parameter is disabled by default to manage the risk of misinterpreting the visitor's choice when they close the banner.


Consent on Click

Records a positive consent when visitor clicks anywhere outside of the banner

How it works:

  • When enabled, a click outside the banner registers a positive consent similar to 

GDPR Default: Disabled

  • GDPR Recital 32 requires that consent is registered only after an affirmative action, like clicking on a button or checking a box. Clicking an element on the banner or page without consent being registered as positive does not imply an affirmative action.

CCPA Default: Enabled

  • There is no requirement under CCPA to register consent only after an affirmative action. This parameter is enabled by default so that a visitors consent registers as positive when they take an action outside the banner. 


Consent on Scroll

Records a positive consent when visitor scrolls on the page

How it works:

  • When visitor scrolls on the page, a positive consent is recorded after scrolling a certain number of pixels

GDPR Default: Disabled

  • GDPR Recital 32 requires that consent is registered only after an affirmative action, like clicking on a button or checking a box. Scrolling on the page without consent being registered as positive does not imply an affirmative action.

CCPA Default: Enabled

  • There is no requirement under CCPA to register consent only after an affirmative action. This parameter is enabled by default so that a visitors consent registers as positive when they take an action outside the banner.


UI Blocking

Forces the visitor to provide their consent before using your website.

How it works:

  • Blocks your website UI until a visitor’s consent is recorded. 

GDPR Default: Disabled

  • GDPR Recital 32 states that your website should be accessible even if the user didn’t respond to request for consent. If there are other ways to show the banner without blocking (or disturbing) the access to the service, then it is preferred than a consent wall.

CCPA Default: Disabled

  • While there is no requirement under CCPA that prevents a consent wall, this parameter is disabled by default to support a better visitor experience.


Reloading

For websites using server-side cookies, this allows unblocked services to be placed on the visitor’s browser once consent is recorded by reloading the page in real time

How it works:

  • Reloads the page once a visitor’s consent is recorded

Defaults:

  • This parameter is disabled by default for both GDPR and CCPA. 


Duration

Determines length of time the visitor’s consent cookie is stored in the browser

How it works:

  • The visitor's consent cookie expires based on the duration set in the Accepted Period or Rejected Period
  • A new consent cookie will be placed on the visitor's browser the next time they visit the site and interact with the banner

Defaults:

  • Both GDPR and CCPA recommend that consent is captured at regular intervals to give visitors the opportunity to make an informed choice. 

Still need help? Contact Us Contact Us