HTTP Cookies are small pieces of data stored on an individual user's device. They are commonly sent from a website while the user is browsing to remember important stateful information - for instance the items added to an online shopping basket; though as they may also be used in a manner that users do not expect it is important to disclose this information to users and gather their consent where appropriate.

Anchor point for Necessary Cookies

Cookie Control allows you to protect essential cookies from being periodically deleted with the property necessaryCookies.

In most cases you will not have to explicitly set this option, as cookies of this type are often issued by the server as HttpOnly and automatically protected.

Though should you need to protect additional cookies, the property expects a list of cookies names. It is also possible to use an asterisk as a wildcard at the end of a cookie name if you want all cookies that start with a given prefix to be protected.

For instance, if you wanted to protect the cookies named A, B and C; along with several other cookies whose names started with the prefix civic_, the configuration would be extended as follows:

const config = {
    // apiKey and other settings...
    necessaryCookies: ['A', 'B', 'C', 'civic_*'],

For more information about which cookies may be classified as necessary, please refer to the authority within your legal jurisdiction. In the UK, the ICO's guidance on cookies and similar technologies is a great place to start.

Anchor point for How Cookie Control stores user choices

Cookie Control itself remembers user choices via its own cookie named CookieControl.

Internal cookies are automatically acknowledged and protected. By default, these cookies are set as SameSite=Strict on the site's top level domain (TLD) and kept for a period of 90 days.

It is possible to customise these settings with the following properties:


Expects a number to determine how many days the consent of the user will be remembered for.


Expects a boolean value to determine whether or not the value of Cookie Control's own cookie should be encoded as a Uniform Resource Identifier (URI) component.


Expects a boolean value to determine whether or not Cookie Control's own cookie will be marked as SameSite.


Used in conjuction with the property sameSiteCookie to control the value of the SameSite cookie flag. Can be either "Strict", "Lax" or "None".

This property is only acknowledged if either sameSiteCookie: true , or if the site is served without data encryption (http:// only).


Expects a boolean value to determine whether Cookie Control's own cookie is set to the top level domain (tld) and therefore accessible on all sub domains, or disabled and saved only to the request host.

For convenience, you can extend your configuration with these properties and their default values as follows:

const config = {
    // apiKey and other settings...
    consentCookieExpiry: 90,
    encodeCookie: false,
    sameSiteCookie: true, // if false, cookie set as SameSite=None;secure;
    sameSiteValue: 'Strict', // either 'Strict', 'Lax', or 'None'
    subDomains: true,

Anchor point for Consent Records

It is also possible to log all consent records received (and revoked) via Cookie Control for up to a year.

This functionality is offered solely for the purposes of satisfying the Conditions for consent within Article 7 of the European Union's General Data Protection Regulation (GDPR):

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

Article 7.1 - Conditions of Consent, GDPR

To enable consent records, please ensure you have agreed with CIVIC's data processing agreement (DPA) by logging into your account profile and extend your configuration with the logConsent property:

const config = {
    // apiKey and other settings..
    logConsent: true, // also requires acceptance of CIVIC's DPA

Anchor point for Privacy Statement

A privacy statement discloses ways in which one party gathers, uses and manages data. For websites, this type of document typically outlines the broader, more generalized treatment of its user's personal data and may include details such as the types of software being used and their use of cookies.

Associating a privacy statement with Cookie Control

Cookie Control allows you to make your users aware of your main privacy statement through use of the statement property. It is entirely optional, though if configured offers two main benefits:

Increased Transparency:

A description and link to your privacy policy appears underneath the introductory text within the main settings panel - making it easy for users to find before providing consent.

Increased Data Integrity:

Should your privacy policy change after a user gives consent, Cookie Control will invalidate prior records of consent and seek the user's preferences using the latest information available.

To extend your configuration with a valid privacy policy, the statement property must be given the value of a JavaScript Object containing the following properties:

descriptionThe text description that introduces your privacy policy.

The text label that best describes your privacy policy and is included within the HTML link element.


The URL where your privacy policy may be publicly accessed. The HTML link element will try to open in a new tab, so it may point to a PDF document if you wish without closing the user's access to your site.


The date that your privacy policy was last issued, in the format of dd/mm/yyyy.

For convenience, you can extend your configuration with the following snippet - though please be aware that there are no default values for URL and updated and the property will be dismissed if not supplied.

const config = {
    // apiKey and other settings...
    statement: {
        description: 'For more detailed information, please check our',
        name: 'Cookie and Privacy Statement',
        url: '',
        updated: '25/05/2018',

Anchor point for Site Specific Behaviour

Site specific behaviour and functionality may be defined in two different ways:

Optional Categories:

Entirely custom categories and behaviour that you yourself define.

Transparency and Consent Framework (TCF) v2:

Adherence to the policies and specifications set out by IAB Europe and

Google's Additional Consent Mode


These two forms of consent management are incompatible due to policies set out by the TCF v2 specification, so you first need to decide which is more appropriate for your website.

If you have not heard of the Internet Advertising Bureau (IAB Europe), or are running only analytics software on your website then chances are Optional Categories will be sufficient for your needs.

Optional Cookie Categories is the form of consent management the majority of our customers opt for due to its flexibility, though please note it does require some manual upfront effort to configure accurately.