What it means & why it matters
Legal pages have two distinct layers. The engineering layer is the page scaffolds, the routing, the metadata, the cookie banner UI, the consent-category wiring against analytics and pixels, the last-updated mechanism and the locale variants when multilingual is in scope. SessDev ships the engineering layer.
The legal layer — the actual text of the terms, the privacy policy, the cookie policy, the disclaimers, the lawful basis statements, the data-subject rights process — is regulated legal work. Drafting it requires a lawyer admitted in the relevant jurisdiction. SessDev does not author legal text and does not advise on what the text should say.
The lawyer relationship is owned by the client. SessDev publishes the final text the lawyer signs off on, into a routing and consent infrastructure the legal text can rely on. SessDev does not represent the client, does not negotiate with regulators and does not assume liability for compliance.
What SessDev includes
- Scaffolds for terms, privacy policy, cookie policy and up to 2 disclaimer pages, with a documented insertion point for the final legal text supplied by the client's lawyer.
- Stable URLs (/terms, /privacy, /cookies and disclaimer routes), canonical metadata, robots indexability and footer links from every page of the site.
- Cookie / consent banner implementation with a baseline UI, granular per-category controls (necessary, analytics, marketing) and a persistent preference store.
- Consent categories wired against the analytics, pixels and tag manager so each tag only fires when its category has been granted.
- Documented last-updated mechanism on each legal page so re-publications are clearly versioned and auditable.
- Up to 2 review cycles per page to accept lawyer-supplied text in clean blocks, without copy edits or counter-suggestions from our side.
- When multilingual is in scope, locale variants of each legal page wired into the same routing, with the lawyer-supplied translation as the source of truth.
- WCAG 2.2 AA baseline on the banner and legal pages (keyboard, focus management, screen-reader labels, contrast).
- 1 end-to-end validation pass: consent grant → categories applied → tags respect categories → preferences persist across navigation and reload.
What is excluded
- Authoring or rewriting the legal text itself — terms, privacy policy, cookie policy, disclaimers, lawful basis statements.
- Advising on what the legal text should say, what the lawful basis is, what data processing is permissible or what notice is required.
- Deciding which jurisdictions to be compliant with, choice-of-law clauses, forum-selection clauses or international transfer mechanisms.
- Translating legal text from one language to another — legal translation is a regulated task and must come from a qualified provider.
- Auditing the actual cookies, pixels and storage the site sets to align category labels with reality — this is an operations cycle, not the install.
- Negotiating data-processing agreements with subprocessors, vendors or ad platforms.
- Implementing the operational workflow for data-subject requests — access, deletion, portability — inside the client's systems.
- Producing the data map / record-of-processing required by GDPR Article 30.
- Monitoring legal changes (GDPR, CCPA, ePrivacy, DSA, AI Act, sectoral law) and revising the text accordingly.
- Issuing or representing any compliance certification (SOC, ISO, GDPR readiness statements).
- Negotiating, reviewing or signing vendor contracts on the client's behalf.
Risks if this is mis-configured
Unauthorised practice of law
Engineers drafting legal text — even "standard" privacy policies — expose the relationship to unauthorised-practice claims and the client to invalid disclosures. The lawyer remains in the loop for a reason; the engineering install does not absorb that.
Consent misalignment with actual tags
The banner offers three categories but ten tags fire — some without consent, some under the wrong category. The policy text describes processing the site does not actually perform. Both the engineering layer and the lawyer text drift out of sync without active auditing.
Copy-pasted policies from another site
"Take this from competitor X" requests produce policies that name the wrong entity, the wrong subprocessors, the wrong retention periods and the wrong jurisdictions. They look right and are legally hollow; SessDev refuses these requests on principle.
Jurisdiction mismatch
A policy drafted for one jurisdiction (US, EU, UK, LatAm) shipped without adaptation to the actual user base creates exposure in every territory the policy fails to cover. The lawyer is required to call those tradeoffs; the engineering install cannot.
Stale legal text
Legal text drafted at launch and never revisited goes stale fast — new vendors, new processing purposes, new subsidiaries, new regulations. Without an update cycle owned by the lawyer, the public-facing text quietly stops matching how the business operates.
Unprepared for data-subject requests
The privacy policy promises access, rectification and deletion. The business has no workflow to honour those requests within the legal window. The exposure is operational, not engineering, and it lives outside this scope.
Cookie banner dark-pattern accusations
Regulators have fined banners for designs that bury rejection, pre-tick non-necessary categories or use confusing labels. The baseline ships a fair UI; design changes pushed after handoff that nudge consent are a legal risk owned entirely by whoever requests them.
Use case — Partner
Your agency or the client's lawyer owns the legal text, the jurisdiction strategy and the compliance posture. SessDev ships the scaffold — routing, metadata, cookie banner, consent-category wiring, last-updated mechanism, locale variants — so the lawyer text lands into infrastructure that respects it. Recommended pairing: SessDev Care retainer to keep the cookie audit in sync with new tags, re-publish updated legal text without re-quoting, and absorb regulatory adjustments as they arrive.
Apply as a partnerUse case — One-Shot
You receive the legal scaffold as part of the buyout: page routes, cookie banner, consent-category wiring, last-updated mechanism, validation. After handoff, drafting and re-drafting legal text — and the cookie audit that keeps categories honest — lives with your lawyer. If you plan to evolve the policies as the business grows — and every business does — add a Care plan at quote time so each text update is published cleanly instead of patched into production.
Request a one-shot quoteRelated scope items
- technical_seoLegal pages share the canonical and metadata infrastructure delivered as part of technical SEO; the lawyer text is not what we configure.
- multilingual_archLocale variants of legal pages route through the same multilingual architecture, but the translated legal text must come from a qualified legal translator.
- analytics_integrationAnalytics fires only when the analytics consent category is granted in the cookie banner; the wiring lives in this scope.
- pixel_integrationMarketing pixels fire only when the marketing consent category is granted; the wiring lives in this scope.
- tag_manager_setupWhen a tag manager is in scope, the cookie banner and consent categories are wired against consent-mode at install time.
- content_injectionLegal text supplied by the lawyer is injected into the scaffolds through the same content-injection pipeline as the rest of the site copy.
Frequently asked questions
- Do you write the privacy policy or the terms of service?
- No. Legal text is drafted by a lawyer admitted in the relevant jurisdiction. SessDev publishes the final, lawyer-signed-off text into the scaffolds and does not edit it. Templates pulled from another company's site are not accepted.
- Is the cookie banner part of the install?
- Yes. The cookie / consent banner UI, the per-category granular controls and the persistent preference store are part of the legal-pages scaffold. The category labels and policy text behind them come from the lawyer.
- Do you translate legal pages into other languages?
- No. Locale variants of legal pages route through the multilingual architecture, but the translated legal text must come from a qualified legal translator. Machine translation of legal text is not accepted.
- Which jurisdictions are covered?
- Whichever jurisdictions the lawyer-supplied text covers. SessDev does not decide on jurisdiction strategy, choice-of-law clauses or international transfer mechanisms; those are legal decisions owned by the client and their lawyer.
- How do legal pages get updated after launch?
- The lawyer supplies updated text, SessDev re-publishes it through the same scaffold, and the last-updated mechanism records the change. Periodic re-publications are covered by the Care retainer or scoped as additive line items.
Legal reference
Read the binding scope clause — item #4, v2.0.0
