Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Cookie + tracker consent management

cookie-consent-managementDomain: data-privacyType: mixed

Description

Cookie consent management is the inventory-and-gating function that sits behind the consent banner. The work is cataloguing every first-party and third-party cookie, SDK, pixel, and tag the product loads in production, classifying each into one of the standard categories (strictly necessary, functional, analytics, advertising), and gating the non-necessary categories behind opt-in consent in markets that require it. The visible banner is the consequence of the inventory work being right; an unimpeachable banner sitting on top of a misclassified inventory does not survive a regulator inquiry that traces the actual network traffic. The operational pipeline decomposes into three pieces. The periodic tag scan catches what is actually loading in production, which routinely differs from what the marketing team thinks is loading because tag managers accumulate over time and tag containers nest other tag containers that nest still others; a scan against the live production surface is the only way to ground-truth the inventory, and the scans typically run quarterly or after any major site change. The categorization decisions for new tags that get added between scans handle the steady-state churn (a marketing team adding a new pixel without privacy-team review is the canonical drift event), and the gating logic that prevents new tags from firing before they have been categorized is what holds the line. The integration to the consent-banner layer ensures the categorization actually controls what fires downstream: this is the connection layer that, when it fails, produces the most-cited enforcement signature in the space. The categorization is what makes the user opt-out meaningful, and a strictly-necessary classification that quietly covers an analytics tag is the recurring enforcement signature because regulators find it through traffic analysis rather than through document review. The trade-off pressure is between the marketing team wanting maximum tag flexibility (which biases toward permissive defaults) and the privacy team wanting tight categorization with restrictive gating (which biases toward conservative defaults); recent enforcement (EDPB Cookie Banner Task Force, CNIL Google decision, ICO advertising cookie enforcement) has consistently sided with the conservative default. The statutory anchors define both the consent threshold and the per-jurisdiction acceptable mechanism. GDPR Articles 6 and 7 plus ePrivacy Directive Article 5(3) require opt-in for non-essential cookies in the EU, with EDPB guidance and Member State DPA decisions (CNIL, Garante, AEPD particularly) setting the operational expectations on banner design and integration discipline. UK PECR Regulation 6 plus ICO guidance set the parallel UK regime. CCPA §1798.135 requires Do Not Sell support plus Global Privacy Control compliance for California, with the 2024 California Attorney General enforcement push specifically targeting GPC-signal-handling failures. UK AADC PECR Regulation 6 layers child-specific cookie obligations. Japan APPI requires its own consent shape for cross-border data flows. Evidence formats that satisfy a regulator inquiry include the cookie inventory itself (with per-cookie classification and lifetime), the tag-manager configuration that enforces the categorization, the pre-consent network log demonstrating that no non-essential tags fire before the user opts in, and the IAB TCF signal where the platform participates in that framework.

Required by (4 regulations)

  • APPI

    Act on the Protection of Personal Information (Act No. 57 of 2003, as amended by Act No. 44 of 2020, effective April 1, 2022)

  • CCPA/CPRA

    CCPA §1798.135 — Do Not Sell + Global Privacy Control compliance.

    Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

  • GDPR

    Article 6/7 + ePrivacy Directive Article 5(3) — opt-in for non-essential cookies.

    Regulation (EU) 2016/679 of the European Parliament and of the Council

  • UK AADC

    PECR Reg. 6.

    Data Protection Act 2018, s.123; Age Appropriate Design: A Code of Practice for Online Services (ICO, 2020)

Fulfilled by (4)

  • onetrust · full · medium effort · $$
  • didomi · full · medium effort · $$
  • osano · full · low effort · $
  • cookieyes · partial · low effort · $

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • cookie inventory
  • tag manager configuration
  • pre-consent network log
  • IAB TCF signal

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn