GDPR
The GDPR and the ePrivacy Directive require prior consent before a website stores or reads non-essential cookies on a visitor's device. Consent must be freely given, specific, informed and as easy to withdraw as to give. You must be able to show that a given visitor consented. This page maps each obligation to the OptSens feature that supports it.
This documentation explains how OptSens features work. It is not legal advice. Whether and how the GDPR applies to your site is a decision for you and your own counsel.
What the regulation expects of cookie usage
Non-essential cookies (analytics, advertising, functional embeds) may not run until the visitor agrees. Essential cookies needed to deliver the site are exempt. Rejecting must be as simple as accepting, and the visitor must be able to change the choice later.
Obligation map
| GDPR obligation | OptSens feature |
|---|---|
| Prior consent before non-essential cookies | Opt-in banner with auto script blocking |
| Reject as easy as accept | Reject button shown next to Accept on the banner |
| Specific, granular consent | Category and vendor choices in the preference center |
| Informed consent | The cookie declaration lists every cookie, its provider and purpose |
| Consent in the visitor's language | More than 50 languages, switched by region |
| Easy withdrawal | Floating widget reopens the preference center at any time |
| Proof of consent (Art. 7(1)) | Consent records and the consent proof PDF |
| Re-consent when terms change | Consent expires after a set period and on policy or vendor changes |
| Data subject rights (Art. 15-22) | DSAR handling |
| Right to erasure (Art. 17) | Delete a visitor's consent records through the API |
Prior consent and blocking
In GDPR mode the banner appears before any non-essential script runs. With auto blocking on, OptSens holds analytics, advertising and embed scripts until the visitor grants the matching category. The visitor can accept all, reject all, or pick categories. The reject path is one click, the same as accept.
Auto blocking is configured per domain in Privacy Settings. When it is off you must wrap scripts yourself with manual tagging or Consent Mode v2, or non-essential cookies will load before consent.
Withdrawal and re-consent
Consent is not permanent. The floating widget lets a visitor reopen the preference center and change or withdraw their choice. Consent also has a lifetime, set per domain between 30 and 360 days (default 180); when it lapses the visitor is asked again. OptSens also re-prompts when the IAB policy version or your vendor selections change, and, with Reset consent after scan on (Scanner page), when a scan changes the cookie set.
Proving consent
For the Article 7(1) burden of proof, every choice becomes a consent record: the categories chosen, a timestamp, the banner language, the country, and a receipt ID. Browse and export these in consent logs, or produce a single signed consent proof PDF for one visitor.
Data subject requests
The GDPR gives visitors rights of access, rectification, erasure, portability, restriction and objection. OptSens collects these through the DSAR workflow, with a public intake form and a 30-day deadline tracker. For erasure of a visitor's stored consent, the REST API exposes a delete endpoint (see consent records).
Check your setup
The compliance report runs through the GDPR-relevant settings (blocking, logging, privacy policy URL, reject button, geo rules, consent expiry) and flags what still needs configuring.