COOKIE BANNER AND PRIVACY INFRASTRUCTURE
1. Overview
This document provides ready-to-implement copy for the cookie consent banner, the cookie preferences modal, the “Do Not Sell or Share” link, and supporting privacy infrastructure. The Privacy Policy provides the legal disclosures; this document tells the engineering team what to build and where to display each element. The legal framework is principally California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and the additional state privacy statutes that have come into effect through 2026. The implementation below is sufficient for compliance across these regimes; if the Platform later targets EU users, GDPR-specific updates will be needed (consent before any non-essential cookie loads, separate consent for each purpose, withdraw-consent equal in prominence to grant-consent).
2. Cookie Banner Copy
The cookie banner appears on the user's first visit and any subsequent visit where the prior consent has expired or been revoked. It must be displayed before any non-essential Cookie loads.
2.1 Standard Banner (Desktop and Mobile)
Display: Bottom-of-page sticky banner, visible without scrolling, dismissable only by interacting with one of the controls below.
Headline: “We use cookies”
Body: “CopyWins uses cookies and similar technologies to operate the Platform, remember your preferences, analyze usage, and (with your permission) personalize content and advertising. You can accept all, reject non-essential, or customize your preferences. You can change your choices any time through the Cookie Preferences link in the footer.”
Buttons (in this order, equal visual weight):
“Accept All”
“Reject Non-Essential”
“Cookie Preferences”
Critical implementation note: Reject must be as easy as Accept. If “Accept All” is one click, “Reject Non-Essential” must also be one click. Designs that bury the reject option behind a “Customize” button violate California regulations and have been the subject of enforcement actions.
2.2 California-Resident Banner Variant (When Geolocation Indicates California)
Display: Same banner location, with an additional line below the body and an additional link.
Additional line: “California residents: You have the right to opt out of the sale or sharing of your personal information. Click ‘Do Not Sell or Share’ below or use the link in our footer.”
Additional link (small text, prominent placement): “Do Not Sell or Share My Personal Information”
2.3 Mobile App Equivalent
On the iOS App, the App Tracking Transparency prompt is required before any cross-app tracking. The cookie banner equivalent is presented as a modal on first launch with the same three-button structure adapted to mobile.
On Android, the equivalent is a first-launch consent screen that mirrors the web banner.
3. Cookie Preferences Modal
The Cookie Preferences Modal opens when the user clicks “Cookie Preferences” from the banner or footer. It allows granular consent by category.
3.1 Modal Header
Title: “Cookie Preferences”
Subtitle: “Choose which cookies CopyWins can use. Essential cookies are required for the Platform to work and cannot be turned off.”
3.2 Categories (with toggle controls)
Category | Description |
Strictly Necessary (always on) | Required for the Platform to operate. Includes authentication, session management, security, and load balancing. Cannot be disabled. |
Functional | Remember your preferences such as language, region, and display settings. Disabling these may degrade your experience. |
Analytics | Help us understand how the Platform is used so we can improve it. Includes aggregated usage data. |
Advertising and Targeting | Used for cross-context behavioral advertising and to measure the effectiveness of marketing campaigns. Disabling these will limit the personalization of advertising you may see. |
3.3 Modal Footer Buttons
“Save Preferences” (saves the per-category selections)
“Accept All”
“Reject Non-Essential”
3.4 Persistence
Save the user's preferences for thirteen (13) months and re-prompt at expiration. If the user clears Cookies, the preference is lost and the banner re-displays on next visit. Do not infer consent from continued browsing; consent must be affirmative.
4. “Do Not Sell or Share My Personal Information” Link
Required by California, Colorado, Connecticut, and other state laws to be displayed in the footer of every page. Clicking the link must allow opt-out without requiring account creation, account login, or providing additional information beyond what is needed to honor the request for that browser.
4.1 Footer Display
Footer link text: “Do Not Sell or Share My Personal Information”
Display in the same visual treatment as other footer links. Do not bury under “More” or “Settings” collapsibles.
4.2 Click Destination
Clicking the link opens a confirmation dialog with the following copy:
Headline: “Opt out of sale and sharing”
Body: “CopyWins does not sell your personal information for money. Depending on the advertising and analytics tools we use, certain disclosures may qualify as ‘sharing’ of your personal information for cross-context behavioral advertising under California law. By confirming below, we will treat this browser as opted out of any such sharing.”
Confirm button: “Opt Out”
Cancel button: “Cancel”
4.3 Effect of Opt-Out
On opt-out:
Disable all advertising and targeting Cookies for this browser.
If the user is logged in, record the opt-out on the user's account so it persists across devices for that account.
Do not require re-confirmation more often than every twelve (12) months.
Honor Global Privacy Control (GPC) signals automatically as opt-out signals; if the GPC signal is present and the user is logged in, also apply the opt-out to the user's account.
5. “Limit the Use of My Sensitive Personal Information” Link (California)
Required only where the Platform uses sensitive personal information for purposes other than those permitted by CCPA Section 1798.121(a). On the current architecture (sensitive personal information is collected through Stripe for KYC and tax purposes only), the Platform may either (a) display this link as a parallel control, or (b) include in the Privacy Policy a clear statement that sensitive personal information is used only for permitted purposes and therefore the link is not required. Option (b) is cleaner. The Privacy Policy as drafted leaves room for either approach.
6. Data Subject Request (DSR) Intake
State privacy laws require an accessible mechanism for consumers to submit requests to know, delete, correct, opt out, and (for California) limit use of sensitive personal information. The Platform must offer at least two methods, one of which is a webform or email.
6.1 Recommended Implementation
Email channel: [email protected] (must be monitored daily).
Webform: a dedicated /privacy-request page with fields for name, email, request type, state of residence, and verification information.
Toll-free phone number: required for businesses subject to CCPA that operate exclusively online and have a direct relationship with consumers, the toll-free requirement is satisfied if email and webform are both available, but a phone option remains best practice.
6.2 DSR Workflow
On receipt of a DSR:
Acknowledge receipt within ten (10) business days, including a description of how the request will be processed and the verification steps required.
Verify the requester's identity to a reasonable degree of certainty proportionate to the sensitivity of the request. For access and deletion of identifiable account data, require account login or two pieces of matching information. For deletion of highly sensitive information, require enhanced verification.
If the request is from an authorized agent, verify the agent's authority through a written authorization or power of attorney, and verify the consumer's identity directly.
Substantively respond within forty-five (45) days of receipt, with one extension of up to forty-five (45) additional days where reasonably necessary. Notify the consumer of any extension.
Document the request, verification, and response in a DSR log retained for at least twenty-four (24) months.
If the request is denied (in whole or in part), explain the basis and notify the consumer of the right to appeal.
On appeal, respond within forty-five (45) days (sixty (60) in some states). If the appeal is denied, provide the consumer with the contact information for their state attorney general.
6.3 Rate of Response
Free for two requests per consumer per twelve (12) months in most states. Excessive, repetitive, or manifestly unfounded requests may be denied or charged a reasonable fee, with documentation.
7. Vendor Management and Data Processing Agreements
Each vendor that processes personal information on the Platform's behalf must execute a Data Processing Agreement (DPA) before live processing begins. The DPA must include:
A description of the processing (categories, purposes, duration).
The vendor's obligation to process only on documented instructions.
Confidentiality obligations on personnel.
Security measures appropriate to the data.
Restrictions on subprocessing (with notice to CopyWins).
Cooperation in DSR responses.
Data breach notification obligations (typically within 72 hours of awareness).
Return or deletion of data on termination.
Audit rights.
7.1 Priority Vendors at Launch
Stripe (DPA available; signed automatically as part of Stripe Connect onboarding).
Cloud hosting provider (AWS, Google Cloud, Azure - DPAs published and self-executing).
Email service provider (SendGrid, Postmark, etc.).
Customer support tool.
Analytics vendor.
Content moderation tool, if used.
Identity verification vendor, if separate from Stripe.
8. Records of Processing and Internal Documentation
California, Colorado, Connecticut, and Virginia (among others) require businesses to maintain documented records of processing. The Platform should maintain a Records of Processing Activities (ROPA) log internally that includes, for each processing activity:
The categories of personal information processed.
The categories of consumers.
The purposes of processing.
The categories of recipients.
The retention period or criteria.
Any cross-border transfers (if applicable).
Security measures.
The ROPA does not need to be published; it must be available to regulators on request.
9. Data Retention Schedule
Recommended retention periods:
Data Category | Retention Period |
Account information (active accounts) | Life of the account |
Account information (after termination) | 180 days, then anonymize or delete |
Transaction and tax records | 7 years (federal tax recordkeeping) |
KYC documentation | 5 years from account closure (BSA recordkeeping if applicable) |
Content (active) | Life of the account |
Content (after termination) | Retained for historical performance display where opted in; otherwise removed within 90 days |
Moderation decision records | 3 years |
Customer support tickets | 3 years |
Marketing email engagement logs | 2 years from last engagement |
Server logs | 90 days |
Analytics data | Anonymize after 14 months |
DSR request logs | 24 months minimum |
Backups | 30 days, then automatic deletion |
10. Data Breach Response
Every U.S. state has a data breach notification statute. Most require notice without unreasonable delay, with outer limits between 30 and 90 days. The Platform should adopt a written incident response plan including:
Detection and triage workflow.
Identification of designated incident response lead and escalation contacts.
Forensic investigation procedures (often coordinated with cyber insurance carrier).
Determination of notification triggers under each applicable state law.
Drafting and approval of consumer notification (template should be pre-drafted).
Regulator notification where required (varies by state and industry).
Credit monitoring offering, if appropriate to the data involved.
Post-incident review and policy updates.
Cyber liability insurance coverage typically funds many of these activities, including outside breach counsel and forensics. The insurer's panel counsel should be identified before an incident occurs, not after.
11. Children Under 18 and Parental Notice
The Platform's age gate must be technical, not just contractual. Recommended layered approach:
Date of birth field at signup; reject if under 18.
Block re-attempts from the same browser/device for 24 hours after a rejection (prevents users from simply retrying with a different birthday).
If account activity later suggests the user is under 18 (e.g., reported by another user, or content suggesting school context), suspend pending verification.
On confirmed under-18 status, delete the account and associated personal information.
Texas (HB 18), Utah, and Louisiana have age verification statutes for certain content categories that may apply to the Platform's sports content. Monitor enforcement and adjust geographic restrictions as needed.
12. GPC Signal Honoring
Global Privacy Control (GPC) is a browser-level signal recognized as an opt-out preference signal under California, Colorado, and Connecticut law. The Platform must:
Detect the GPC header on incoming HTTP requests.
Treat GPC as a verifiable opt-out request from the browser.
Apply the opt-out to advertising and targeting Cookies for that browser session and persistently.
If the user is also logged in, propagate the opt-out to the user's account preferences.
Do not display additional friction (such as confirmation dialogs) when honoring a GPC signal.
13. Quarterly Privacy Review
Recommend a quarterly review covering:
DSR volume and response time metrics.
Cookie consent rates.
Vendor changes and DPA status.
Any privacy-related complaints or regulator inquiries.
Updates to applicable state laws (the privacy law landscape is evolving rapidly).
Updates to the Privacy Policy as needed.
The review should be documented and retained as part of the privacy program.