Guides → Cookie compliance playbook — SGEN guide

Cookie compliance SGEN playbook

How to ship a complete cookie compliance setup on your SGEN site

Cookie compliance is a five-part system, not a single toggle. A consent banner is one piece. You also need a Cookie Policy page visitors can read, footer links that surface it on every page, script gating that blocks trackers until the visitor decides, and a weekly audit habit that keeps the log clean. This playbook walks through all five parts in order, with your business — EU and US visitors, three analytics tools — as the working fixture throughout.

Estimated time: 45 minutes on a fresh site. 20 minutes if your Cookie Policy page and footer links already exist.

Not legal advice. This doc describes operational steps inside SGEN. What your site must disclose, how long consent must be retained, and whether you need a dedicated Consent Management Platform depends on your audience, your legal counsel, and the regulations that apply to you. Treat this as a technical how-to, not compliance sign-off.

What is this for?

This playbook is for SGEN site owners who need to satisfy a data protection requirement — GDPR, UK PECR, CCPA, or a similar law — and want a single, ordered checklist they can run through from start to finish. Each step references the specific SGEN screen it lives on, so you do not have to piece together separate docs.

Use this playbook on launch day, when you add a new tracking tool, or when legal hands you updated disclosure copy.

The five steps together form a compliance system:

Consent banner — collect the visitor's choice before any tracking script fires.
Cookie Policy page — disclose every cookie your site sets, in plain language.
Footer links — make the Cookie Policy and Privacy Policy reachable from every page.
Script gating — enforce the visitor's choice on every tracker, including tools without a built-in toggle.
Weekly audit — review the Consent Logs to catch regression before legal does.

Good use cases

Example 1: EU e-commerce launch. your business sells Canvas Tote Bags and Barista T-Shirts to customers in the UK and EU. They need GDPR-compliant consent before Google Tag Manager fires. This playbook is the exact sequence their team ran in an afternoon.

Example 2: Adding Hotjar mid-quarter. Marketing signs up for Hotjar. A tracking script is now running without consent gating. Step 4 of this playbook shows how to add a regex pattern that suppresses Hotjar until a visitor accepts — no developer required, no code change, ninety seconds of work.

Example 3: CCPA "Do Not Sell" flow for US visitors. California law requires a clear opt-out path. Step 1 covers setting the Decline redirect URL to a CCPA confirmation page so visitors who click Decline land somewhere that confirms their choice.

What NOT to use this for

The steps here configure SGEN correctly; they do not substitute for a qualified assessment of which laws apply to your site and what they require.

If your audience requires Functional / Performance / Marketing category toggles for IAB TCF v2.0 compliance, pair SGEN with a dedicated CMP like OneTrust or Cookiebot.

A live banner that links to a missing or thin policy page is worse than no banner — regulators take note of mismatches between what the banner says and what the policy discloses.

The homepage is where most visitors land first; exempting it defeats the compliance purpose. Excluded Pages is only for your Privacy Policy and Cookie Policy pages.

Do not use this playbook as a substitute for legal review

How this connects to other features

Step 1 of this playbook lives there.

Configure the cookie consent banner

— the full reference for every field on the Tracking Consent → Settings screen.

Before you start

Editor and Author roles cannot access Tracking Consent settings.

The banner will not reappear in a browser that has already recorded a consent decision, so all verification steps use incognito.

You are signed in to SGEN as a site owner or administrator.

Where to go

The five steps span four separate areas in your SGEN admin. Use this map before starting so you know where each step lands:

Step	Admin area	Path
1 — Consent banner	Tracking Consent → Settings	`/sg-admin/tracking_consent`
2 — Cookie Policy page	Pages → All Pages	`/sg-admin/pages/`
3 — Footer links	Appearance → Menu	`/sg-admin/appearance`
4 — Script gating	Tracking Consent → Settings (return)	`/sg-admin/tracking_consent`
5 — Weekly audit	Tracking Consent → Logs	`/sg-admin/tracking_consent/logs`

Bookmark /sg-admin/tracking_consent — you will land there for Steps 1 and 4, and return for the weekly audit in Step 5.

Steps

Configure the consent banner

Open Tracking Consent → Settings from your SGEN left navigation.

A filled-in Settings panel for your business — EU and US visitors, all four Exclusions ticked, Hotjar in the regex box — looks like this:

Key settings for the EU + US configuration:

Enable Consent — on.
Position — Bottom. Switch to Top for stricter regions.
Require I agree checkbox — on (deliberate two-step acceptance).
Decline redirect URL — /privacy/do-not-sell-confirmed (CCPA confirmation page).
Gate all four built-in tools — GTM, Clarity, Session Attributer, Draft Form Entries.
Other scripts — /hotjar\.com/i on its own line.
Excluded Pages — Privacy Policy and Cookie Policy both selected.

After clicking Save Config, a green confirmation message appears at the top of the Settings panel. If the confirmation appears twice, that is a cosmetic display issue — your save went through. Reload the Settings panel to confirm the values are exactly as you left them.

Create the Cookie Policy page

A consent banner that links to a missing Cookie Policy page will fail a regulator review. Create the page before the banner goes live — or at the latest on the same day.

Go to Pages → All Pages, click Add New, pick Start from scratch, and fill in:

Title: Cookie Policy
Permalink: auto-fills as cookie-policy — leave it as-is.
Status: Publish (the page must be live before you add it to Excluded Pages in Step 1).
Content: your cookie table. See the minimum content table below.

Your Cookie Policy must list every cookie your site sets. The minimum required columns: cookie name, the tool that sets it, its purpose, and how long it is kept.

Cookie name Set by Purpose Retention
──────────────────────────────────────────────────────────────────────────────────
_ga Google Analytics Analytics — visitor tracking 2 years
_ga_XXXXXXXXXX Google Analytics Analytics — session ID 2 years
_clck Microsoft Clarity Session recording identifier 1 year
_clsk Microsoft Clarity Session recording sub-key 1 day
_hjSessionUser_* Hotjar Session recording identifier 1 year
_hjSession_* Hotjar Active session data 30 min
sgen_consent SGEN Stores the visitor's consent 12 months
sgen_session SGEN Authenticated session Session

Add a short "How to opt out" section telling visitors how to clear cookies in their browser, and a "Last updated" date at the top of the page. Link back to your Privacy Policy from the footer of the Cookie Policy.

Once the page is Published, return to Tracking Consent → Settings, open the Excluded Pages multi-select, add the Cookie Policy page, and click Save Config again.

Pin Cookie Policy and Privacy Policy in your footer

Visitors need a persistent path to both legal pages from every page on the site — not only from the banner itself.

Go to Appearance → Menu, open your footer menu (or create one if it does not exist yet), and add two items:

Cookie Policy — the page you just created at /cookie-policy.
Privacy Policy — your existing policy page (typically at /privacy-policy).

Keep the label text literal: Cookie Policy and Privacy Policy. Do not rename them to marketing phrases — regulators look for these labels by name.

The footer of your business' site after Step 3:

Gate tracking scripts

The four built-in Exclusion toggles — GTM, Clarity, Session Attributer, Draft Form Entries — cover the most common tools. Any script added via Custom Codes that is not covered by those four toggles needs a regex pattern in the Other scripts textarea.

Return to Tracking Consent → Settings and paste the patterns you need into the Other scripts field, one per line:

/hotjar\.com/i
/cdn\.amplitude\.com/i
/segment\.(com|io)/i
/connect\.facebook\.net/i
/googletagmanager\.com\/gtag/i
/script\.crazyegg\.com/i
/cdn\.mxpnl\.com/i
/cdn\.mouseflow\.com/i

Each pattern matches against the src attribute or inline body of any <script> tag on your public pages. If a script matches, it is suppressed on every public page until the visitor accepts the banner. The /i flag makes every pattern case-insensitive.

your business — tool-to-gating map:

Tool	Gating method
Google Tag Manager (GA4, Pixel, all tags inside GTM)	Built-in toggle — Gate Google Tag Manager
Microsoft Clarity	Built-in toggle — Gate Microsoft Clarity
Hotjar	Other scripts regex — `/hotjar\.com/i`
SGEN Session Attributer	Built-in toggle — Gate Session Attributer

Click Save Config after adding the patterns.

Block test paths from session attribution. If your team runs QA sessions at a predictable URL path — for example /sgen-tracking-test/ — add a regex to Other scripts:

/\/sgen-tracking-test\//i

This prevents those sessions from being recorded as real-visitor attribution events. Alternatively, add the test page to Excluded Pages — that suppresses the entire banner (and all gating logic) on that page.

Test: accept-all and decline-all

Run this sequence using a fresh incognito window for each scenario.

Accept-all:

Open a fresh incognito window and go to your homepage. The consent banner appears at the bottom of the viewport with your disclosure copy, the "I agree" checkbox, and your two button labels. Tick I agree. Click Accept and Enable. The banner dismisses. Right-click anywhere, pick View Page Source, and search (Ctrl-F) for googletagmanager.com — it should appear in the source. Search for hotjar.com — it should appear if Hotjar is configured. Refresh the page — the banner does not reappear.

Decline-all:

Open a second fresh incognito window and go to your homepage. The banner appears again. Click Continue without analytics without ticking the checkbox. The banner dismisses and the browser navigates to /privacy/do-not-sell-confirmed if you set the Decline redirect URL. Right-click, pick View Page Source, search for googletagmanager.com — zero matches. Search for hotjar.com — zero matches. Scripts are blocked.

The public page state after a visitor accepts — all scripts loading, footer links visible:

Test Excluded Pages. Open your Cookie Policy page in a fresh incognito window. The consent banner should not appear — that page is in your Excluded Pages list. The Privacy Policy page should also be banner-free.

Run the weekly Consent Logs audit

Open Tracking Consent → Logs on the first working day of each week. A healthy week of sessions on your business' site — 1,842 accepted, 214 declined, 47 no-decision, 612 on Excluded Pages:

The Logs list for the same period — one row per consent session, each row showing the decision, landing page, and behavioral metrics. Click any session key to open the full detail view (Summary card + Timeline):

What to look for in the weekly review:

Decline-rate spike (more than 30% above your baseline): usually a banner copy change, a layout regression, or a new script interfering with the Accept button.

Open a few declined sessions and read their Timelines.

No-decision count growing: the banner is shown but visitors leave without deciding.

Common if the banner is at Bottom and the page content pushes it off-screen on mobile. Consider switching to Top.

Zero new sessions: the banner is off or all visitors are landing on Excluded Pages.

Open Settings and confirm Enable Consent is on.

Bulk-delete caution. The Logs screen's bulk-delete action runs immediately — filter the list down to only the rows you intend to remove and visually verify the selected set before deleting. Consent logs may be needed for compliance evidence, and permanent deletion is irreversible.

Maintain: resave after theme or layout changes

SGEN's consent banner inherits font and color tokens from your active theme. After you swap themes or edit Styles and Layouts, open Tracking Consent → Settings, click Save Config without changing anything, and verify the banner picks up the updated look in a fresh incognito window.

Resave after any of these events:

Theme change or global Styles and Layouts edit.
Adding a new tracking tool via Custom Codes (add its regex to Other scripts first, then save).
Legal hands you revised disclosure copy.
You publish or rename your Cookie Policy or Privacy Policy page.

What success looks like

Success looks like

After completing all seven steps, the compliance system is running:

Your public homepage shows the consent banner on every fresh visit, at the position you chose, with your disclosure copy and both button labels.
Right-click, pick View Page Source on the homepage in a fresh incognito window — zero matches for googletagmanager.com, clarity.ms, and hotjar.com.
After clicking Accept and reloading, the same search finds all three tools in Page Source — scripts are loading because the visitor consented.
Your Cookie Policy page at yourdomain.com/cookie-policy is published and lists every cookie by name, provider, purpose, and retention period.
Cookie Policy and Privacy Policy links are visible in your site footer on every page.
Tracking Consent → Logs fills up with accepted and declined rows within the first hour of real public traffic.
The Excluded Pages test passes — the consent banner does not appear on your Cookie Policy or Privacy Policy in a fresh incognito window.

What to do if it does not work

The banner is not appearing on my site

Confirm Enable Consent is on in the Settings panel. Open your homepage in a fresh incognito window — your normal browser already has a decision saved and will not show the banner again.

GTM is still loading after I ticked the exclusion

You likely have a second GTM embed in Custom Codes or your theme header. Add /googletagmanager\.com/i to the Other scripts textarea to catch all occurrences, then save.

The save confirmation appeared twice

A cosmetic display issue — your save went through correctly. Reload the Settings panel to verify that the saved values match what you entered.

My Cookie Policy page is still showing the banner

Open Settings, confirm the Cookie Policy page is actively selected in the Excluded Pages dropdown (highlighted, not just visible), and click Save Config again.

The banner shows up on the Cookie Policy page after I excluded it

SGEN caches the excluded-page list briefly. Wait one minute, then hard-refresh (Ctrl+Shift+R) and test in a fresh incognito window.

Bulk-delete ran and I removed the wrong sessions

The bulk-delete in the Logs screen has no confirmation step. Deleted consent records cannot be recovered. Going forward, filter carefully before selecting rows, and do not bulk-delete production consent records.

The Accept button does nothing when clicked

A Custom Code is likely interfering with the banner's click handler. Open Custom Codes, toggle each entry off one at a time, reload the homepage in a fresh incognito window, and try Accept after each toggle. The entry that, when disabled, lets Accept work is the one that needs a fix.

Examples in context

Example 4: Emergency banner disable for legal review.

your business' legal team flags a broken link in the disclosure copy at 4 p.m. on a Friday — the Cookie Policy link points to the wrong slug.

The fix takes two minutes but legal needs the banner off the public site until they review the corrected copy on Monday.

an editor opens Tracking Consent → Settings, flips Enable Consent off, and clicks Save Config. She refreshes yourdomain.com in an incognito window — the banner is gone. All four Exclusions remain ticked behind the scenes, meaning GTM, Clarity, Session Attributer, and Draft Form Entries are all still suppressed because no new consent is being collected.

On Monday morning, she pastes the corrected link into the Consent message HTML, flips Enable Consent back on, and saves. The banner is live again with the corrected copy — the original button labels, Exclusions, and Excluded Pages are preserved exactly as they were.

Example 5: Adding a new analytics tool mid-quarter.

your business's marketing lead signs up for Amplitude to track product-page funnel drop-off.

Amplitude is added via a <script src="https://cdn.amplitude.com/libs/amplitude-8-min.js"> tag in Custom Codes — a tracking tool, so it must be gated.

a teammate opens Tracking Consent → Settings, scrolls to the Other scripts textarea, adds /cdn\.amplitude\.com/i on a new line, and clicks Save Config.

To verify: she opens yourdomain.com in a fresh incognito window, right-clicks, picks View Page Source, and searches for amplitude. Zero matches — the script is suppressed. She clicks Accept and Enable on the banner, reloads, and searches again. Now cdn.amplitude.com appears in a <script src=..> tag near the closing body tag. The whole process took ninety seconds, with no code change and no developer.

Example 6: Responding to a Data Protection Officer audit.

A visitor contacts your business claiming they never consented to email marketing despite opting in through the site.

a teammate opens Tracking Consent → Logs, filters by the approximate date the visitor said they landed on the site, and scans the Landing Page and Decision columns. She finds a session with decision: accepted, opens the detail view, and screenshots the Summary card — Session Key, Decision At timestamp, Landing Page, and the Timeline ending in decision: accepted.

That screenshot is the evidence she sends to the DPO. The green accepted badge plus a timestamped Timeline row satisfies what GDPR Article 7 asks her to demonstrate: that consent was freely given, specific, and recorded at a precise moment in time.

EU / CCPA compliance operational checklist

The steps above satisfy the most common operational requirements. Run through this checklist before going live and keep a dated copy for your records:

[ ] Banner enabled — Enable Consent toggle is on in Tracking Consent → Settings.
[ ] Disclosure copy reviewed by legal — Consent message was written or approved by your legal team, not self-authored from an unreviewed template.
[ ] "I agree" checkbox on — Required for EU / UK audiences. May be off for US-only sites with legal sign-off.
[ ] All four Exclusions ticked — GTM, Clarity, Session Attributer, Draft Form Entries.
[ ] Non-GTM tools in Other scripts regex — /hotjar\.com/i and any additional patterns for tools not covered by the built-in toggles.
[ ] Decline redirect URL set — Points to a CCPA opt-out confirmation page.
[ ] Cookie Policy page published — Lists every cookie by name, provider, purpose, and retention period.
[ ] Privacy Policy published and linked — Referenced from the Cookie Policy and from the consent message HTML.
[ ] Both pages in Excluded Pages — Cookie Policy and Privacy Policy selected in the multi-select; banner does not appear on either.
[ ] Footer links in place — Cookie Policy and Privacy Policy visible in your footer on every page.
[ ] Accept test passed — In fresh incognito: scripts absent before Accept, scripts present after Accept.
[ ] Decline test passed — In fresh incognito: scripts absent after Decline. Decline redirect navigates correctly.
[ ] Excluded Pages test passed — Banner absent on Cookie Policy and Privacy Policy in fresh incognito.
[ ] Weekly Logs review scheduled — First working day of each week, Tracking Consent → Logs.
[ ] Bulk-delete discipline in place — Team knows to filter and verify before selecting rows for deletion.

Guides

Reference

Changelog

Roadmap