Consent Models
Understand how ConsentStack applies the right consent model based on your visitor's location and local privacy laws.
Consent models are the rules that determine what your visitors see in the consent banner and whether scripts run before or after they give consent.
The five consent models
Every cookie category on your site is assigned a consent model. The model controls the visitor's experience and when scripts are allowed to execute.
| Model | What visitors see | Scripts run before consent? | When it applies |
|---|---|---|---|
| Opt-in | A banner with Accept and Reject buttons. Visitors must actively accept before anything runs. | No | GDPR countries (EU, EEA, UK, Switzerland) |
| Opt-out | A banner with Accept and Reject buttons. Scripts run immediately, but visitors can choose to reject. | Yes | US states with opt-out frameworks (e.g., California under CCPA) |
| Notice-only | An informational banner with a "Got it" button. No accept/reject choice. | Yes | Countries with no specific consent regulation |
| Exempt | Nothing — visitors never see this category. It is always active and does not appear in the preferences panel. | Yes (always on) | Essential cookies required for your site to function (e.g., session cookies, security tokens) |
| Dynamic | Varies — resolved automatically based on the visitor's US state. | Depends on the resolved model | US states with privacy laws, where requirements differ by state and data type |
How models are assigned
You do not need to figure out which model applies to which visitor. ConsentStack detects each visitor's location automatically and applies the correct consent model based on the privacy laws in their region.
Here is what the defaults look like out of the box:
| GDPR countries | US state privacy laws | Everyone else | |
|---|---|---|---|
| Essential | Exempt | Exempt | Exempt |
| Analytics | Opt-in | Dynamic | Notice-only |
| Marketing | Opt-in | Dynamic | Notice-only |
You can customize these rules in the Compliance tab of the Config Builder. For example, you might set Analytics to opt-in everywhere, or add a custom category with its own rules per region.
Dynamic consent in the US
Privacy laws in the United States are not uniform. Each state has its own rules, and those rules can vary depending on the type of data involved. This is why the US region uses the dynamic model instead of a single fixed rule.
When a visitor arrives from a US state with a privacy law, ConsentStack checks the specific requirements for that state and resolves each cookie category to the appropriate model. The result is that different categories can end up with different models for the same visitor.
For example, a visitor from California might see:
- Analytics resolved to opt-out (CCPA allows data collection with an opt-out option)
- Marketing resolved to opt-in (stricter rules for targeted advertising)
This all happens automatically. You do not need to configure state-level rules manually — ConsentStack has the requirements for all 18 covered US states built in.
Dynamic is never a visitor-facing model. Your visitors always see one of the concrete models — opt-in, opt-out, or notice-only. Dynamic is just how ConsentStack knows to check state-level rules before deciding.
What's next
- Learn about cookie categories and how to organize the scripts on your site
- Set up your consent rules in the Config Builder