CookieYes manages your consent banner and preference center. Disclosing it accurately in a privacy policy means explaining its role as consent infrastructure, what the CookieYes cookies store, and that the actual data collection from other tools only occurs when visitors grant the relevant consent.
Last reviewed by Lokker Privacy Engineering
Not legal advice
The example language on this page is provided for educational purposes only. It is not legal advice and does not create an attorney-client relationship. Privacy laws vary by jurisdiction, sector, and the specific technologies you deploy. Always have a qualified privacy counsel or attorney review your privacy policy language to ensure it accurately reflects your actual data practices and complies with applicable law. Policy text alone does not make you compliant: your technical controls must match what the policy describes.
Data collection
This is what your privacy policy needs to describe. Be specific: vague references to "usage data" or "technical information" are not sufficient in most jurisdictions.
Visitor consent decisions (accepted categories, rejected categories, timestamp)
CookieYes infrastructure cookies: cookieyes-consent (stores encoded preference), cky-consent (legacy), cky-action
Language and region preferences for banner localization
Banner interaction data for analytics within the CookieYes dashboard
Processing purposes
Privacy laws require you to specify the purpose for each category of data processing. These are the purposes typically associated with CookieYes.
Recording and applying visitor cookie consent preferences
Controlling which cookie categories are active based on consent state
Providing a preference center for visitors to update their choices
Generating consent records for regulatory documentation
Automating cookie classification via the CookieYes scanner
Jurisdiction notes
These are representative notes, not exhaustive legal guidance. Laws continue to evolve and your counsel should review the current requirements for each jurisdiction where your visitors reside.
United States
CookieYes consent infrastructure is typically treated as Strictly Necessary for managing compliance obligations. The consent preferences stored by CookieYes are functional data required for legal compliance. For CCPA, CookieYes can be configured to enforce opt-out of sale and sharing and to honor GPC signals.
EU and UK (GDPR)
Under the GDPR, CookieYes processes consent decisions as a data processor. It does not require separate consent to operate, as it is the mechanism through which consent is obtained. Your policy should describe CookieYes as the consent management infrastructure and note that preferences are stored in the cookieyes-consent cookie.
Example language
The examples below are starting points for discussion with legal counsel. They are not approved or jurisdiction-complete language. Your policy must accurately reflect your actual technical configuration and comply with the laws of the jurisdictions where your visitors reside.
Consent management infrastructure row
CookieYes (CookieYes Limited): Cookie consent management platform that records and applies your cookie preferences. Stores your consent decisions in the cookieyes-consent cookie. Category: Strictly Necessary (consent infrastructure).
Cookie consent platform disclosure paragraph
We use CookieYes, a cookie consent management platform provided by CookieYes Limited, to manage your preferences about cookies and tracking technologies used on this website. When you visit our website, CookieYes displays a cookie consent banner that allows you to accept, reject, or customize your preferences for different categories of cookies. CookieYes stores your choices in the cookieyes-consent cookie so that your preferences are remembered and applied on each subsequent visit. CookieYes classifies the cookies used on our website by category (Strictly Necessary, Functional, Analytics, Advertisement, and Others) and ensures that cookies in non-essential categories are only set after you have provided consent. CookieYes does not use your consent preference data for advertising or profiling purposes. You can update your preferences at any time by clicking the Manage Cookie Preferences link in the footer.
Configuration checklist
An accurate policy is only useful if the technical controls behind it work correctly. These are the configuration points to verify for CookieYes.
CookieYes should be listed under Strictly Necessary and will always load regardless of visitor consent, as it is the mechanism for recording that consent.
Keep the CookieYes cookie scanner up to date. New cookies set by third-party tools or site updates may not be automatically classified. Run a fresh scan after significant site changes.
Configure GPC detection in CookieYes if serving California residents. When a visitor's browser sends a GPC signal, CookieYes can treat this as an opt-out of non-essential cookies.
Use Consent Validator to verify that non-essential tools blocked by CookieYes are actually not firing at the network layer. CookieYes category assignments must match your actual tag manager configuration.
Test the preference center link visibility across page types. A broken or hidden link impairs the visitor's right to withdraw consent as described in your policy.
Policy vs practice
These are common gaps between CookieYes privacy policy language and what actually happens in the browser. Checking only inside each SaaS admin (CMP, tag manager, or vendor console) rarely answers whether the full stack works together. Lokker tests from the outside: consent state, tag firing, and network requests viewed as one system.
What the policy says
Policies state that CookieYes automatically detects and classifies all cookies used on the site and enforces visitor consent decisions for each category.
The cookie notice table generated from CookieYes's scanner is described as a complete and current inventory of all cookies in use.
Policies describe consent as persistent across sessions, meaning visitors do not need to re-consent on every visit.
Policies confirm that GPC signals are recognized and trigger automatic opt-out of non-essential cookies for California visitors.
What Lokker validates
CookieYes enforcement requires integration with the tag manager or CMS. Without that wiring, CookieYes records a preference but non-essential scripts still load. Lokker confirms which cookies and network requests actually occur after a category is rejected.
CookieYes's automated scanner captures cookies visible during a single crawl. Cookies that appear only after login, after form submission, or conditionally may be missed. Lokker tests across multiple interaction states to find cookies absent from the declared inventory.
CookieYes stores consent in a browser cookie. Clearing cookies or using private browsing resets the preference. Lokker tests whether the correct banner re-appears and whether non-essential tools are correctly blocked on a fresh-cookie visit.
Lokker sends a GPC-enabled browser request and checks whether CookieYes triggers opt-out behavior and whether non-essential scripts are blocked. GPC support in CookieYes requires explicit configuration that may not be enabled by default.
Consent Validator tests your site from the outside, not inside each vendor admin. It runs automated flows across accept, reject, no-interaction, and GPC states and checks whether CookieYes loads through your CMP and tag manager, whether consent signals are honored, and whether any call to that vendor still occurs when the visitor has opted out.
Questions
References
Regulatory guidance, enforcement decisions, and legal cases referenced on this page.
Regulatory guidance
UK Information Commissioner's Office
European Data Protection Board
Explore further
Same category
Validate technical compliance
Check that CookieYes is correctly wired to your tag manager and that rejected categories are not set in a real browser session.