What it means & why it matters
This scope wires a consent-management provider (Cookiebot, Termly or equivalent), renders the banner and preference center, and connects consent categories to script-loading behavior on the site.
The legal layer remains outside this workstream: policy text authorship, jurisdiction interpretation, legal advice and compliance accountability are owned by the client and their legal counsel.
SessDev delivers implementation and validation for the agreed categories and providers. Ongoing compliance operations, policy refresh cycles and legal-risk decisions are operational responsibilities after handoff.
What SessDev includes
- Integration against one agreed CMP provider (Cookiebot, Termly, or equivalent) using client-owned account credentials and configuration.
- Implementation of banner and preferences entry point with the agreed placement, language variant hooks and close/reopen behavior.
- Mapping of consent categories (necessary, analytics, marketing, optional custom category if supported) to documented behavior.
- Category-based gating for analytics and marketing scripts so blocked categories do not execute before consent is granted.
- Preference persistence wiring through CMP storage and retrieval mechanisms so user choices are retained across sessions per provider behavior.
- Basic regional rule handling as exposed by the chosen CMP configuration (for example EEA-first gating presets when available).
- Banner links wired to client-supplied policy URLs (privacy, cookies, terms) with locale-aware routing when needed.
- Event hooks or callbacks wired for downstream measurement when supported by provider SDK/API.
- 1 validation pass: initial banner load, category toggle behavior, script-blocking confirmation and preference recall.
- 1 recorded walkthrough covering configuration locations, safe update procedure and scope boundaries.
What is excluded
- Drafting legal text for privacy policy, cookie policy, terms or jurisdiction-specific notices.
- Providing legal advice, interpretation of regulations or risk acceptance recommendations.
- Authoring policy copy, revising legal language or approving lawful basis statements.
- Comprehensive cookie audit, scanner interpretation and ongoing reclassification of third-party technologies.
- CMP procurement, contract negotiation and vendor legal review.
- Ongoing compliance operations, recurring audits and policy lifecycle governance after launch.
- Multi-jurisdiction legal research (GDPR, ePrivacy, CCPA/CPRA, LGPD and others) beyond implementation presets.
- Formal legal/UX review for dark-pattern exposure under evolving enforcement interpretations.
- Interpretation of analytics outcomes or business insights from consent acceptance rates.
- Marketing campaign setup tied to consent outcomes, audience creation and ad-platform governance.
- Data-subject request operations, fulfillment workflow and recordkeeping obligations.
Risks if this is mis-configured
Cookie category misclassification
If scripts are mapped to incorrect categories, non-essential technologies may run without valid consent. Implementation follows agreed mapping, but upstream classification accuracy remains a legal/ops responsibility.
Consent bypass through unmanaged script paths
Hardcoded or third-party script injections outside the gating path can bypass consent controls. Governance of all script entry points is required after launch to keep controls effective.
Regional behavior mismatch
If geo-targeting presets are misconfigured, users in strict jurisdictions can receive incorrect defaults. CMP region logic must be maintained in line with legal guidance.
Dark-pattern enforcement exposure
Banner UX that nudges acceptance disproportionately can face regulatory scrutiny. SessDev implements agreed UI, but legal/UX governance of fairness and neutrality is not part of this scope.
Stale or broken policy links
If policy URLs change and banner links are not maintained, consent context is degraded and legal posture weakens. Link ownership and content freshness remain with the client.
Preference persistence loss
Storage restrictions, browser settings or provider changes can reset consent states unexpectedly. Post-launch monitoring and provider-specific troubleshooting are operational responsibilities.
Scope bleed into legal compliance operations
Consent implementation can be mistaken for full legal compliance ownership. This scope delivers technical wiring only; compliance program ownership remains with client/legal teams.
Use case — Partner
Your legal/compliance owner defines policy language, jurisdiction posture and risk acceptance. SessDev wires the consent experience and category gating to your approved ruleset. Recommended pairing: SessDev Care retainer for controlled updates when scripts, providers or policy links change over time.
Apply as a partnerUse case — One-Shot
You receive one production-ready consent-banner implementation with category gating, preference persistence and handoff. Ongoing compliance governance and legal updates remain your responsibility after launch. If your stack changes frequently, add a Care plan at quote time to keep consent wiring current without ad-hoc risk.
Request a one-shot quoteRelated scope items
- analytics_integrationAnalytics execution is directly controlled by consent categories, so event collection depends on this setup.
- pixel_integrationMarketing pixels are normally blocked until consent allows marketing category execution.
- tag_manager_setupTag-manager triggers and tags should inherit consent-state rules defined by the CMP integration.
- legal_pages_setupBanner links and legal copy references depend on legal pages being present and current.
- technical_seoConsent UI must coexist with SEO infrastructure without breaking crawl-critical metadata and routing.
- content_injectionPolicy labels, consent copy and button text come from client-supplied content injected into this implementation.
Frequently asked questions
- Which consent-banner providers do you support?
- Cookiebot, Termly and equivalent CMP providers with stable SDK/API support are in scope. Final provider selection and account ownership stay with the client.
- Can we define custom consent categories?
- Yes, where the selected CMP supports it. Baseline categories (necessary, analytics, marketing) are wired by default and custom categories are mapped during implementation if agreed.
- Do you review our policy text for legal compliance?
- No. SessDev does not provide legal drafting or legal advice. Policy wording and legal review are owned by the client and legal counsel.
- Is script blocking enforced before consent?
- For configured non-essential categories, yes. Script execution is gated by consent state as implemented in the chosen CMP and site wiring.
- Does this guarantee GDPR/ePrivacy compliance?
- No implementation alone can guarantee legal compliance. This scope provides technical controls that support compliance, while legal basis, policy content and governance remain client/legal responsibilities.
Legal reference
Read the binding scope clause — item #16, v2.0.0
