6 · Legal & consent

TL;DR

Objective — stand up the three legal essentials (cookie/GDPR banner, Privacy Policy, Terms) via the check-first pattern — fill the panel field if present, defer to Phase 7 if absent — and flag the hard dependency that consent must gate analytics before launch.

User part + done-when

👤 User part — generate the real Privacy/Terms text from a reputable generator and paste it into the panel, enable and configure the consent banner, and verify in incognito that the banner appears and “reject” is honoured; an agent can’t author legal copy or judge a rendered banner for you.

Done when Privacy + Terms render with real text, the cookie banner shows in incognito with “reject” honoured (or is deferred to Phase 7 and logged), and the consent-gates-analytics dependency is queued.  ·  ⏱ 30–60 min  ·  🔀 mixed (👤 panel + legal text, 🔀 defer-logging).

Background

Three legal essentials, all driven by the check-first pattern from page 1: inspect the admin panel first, then either fill the field or defer to the security/compliance phase. Privacy Policy and Terms are a MUST before any real signup; the cookie banner is a MUST in regulated markets and pairs directly with the analytics tag on page 7’s neighbour.

Whose GDPR? Operator vs tenant

The brand survey (page 2) drew the line: you are responsible for the marketing site + signup (your cookie banner, your privacy policy). A vendor’s built-in “GDPR module” usually serves the tenant’s end-users inside the product — a different surface with a different data controller. Don’t assume the vendor’s tenant-facing consent tooling covers your public funnel. Configure both surfaces, separately.

Whichever surface you’re filling, the source of the text matters as much as the toggle:

Get real legal text — don’t hand-write it

Generate Privacy Policy and Terms with a reputable generator (Termly, GetTerms, or Iubenda) tuned to your jurisdiction and data practices, then paste. Hand-written legal copy is a liability, not a shortcut.

Steps

1. Configure the cookie / GDPR consent banner

CHECK: Admin → Config → GDPR (or Privacy, or Cookie Settings). Enabling the banner and judging it in incognito are browser actions a person performs.

Who does this

👤 User enables the consent banner in the panel (set consent text, accept/reject buttons, cookie-policy link) and verifies in incognito that it appears and “reject” suppresses non-essential cookies — a panel toggle plus a visual check only a person makes.

1. Enable or defer the banner.

   • If present — enable the consent banner; set the consent text, accept/reject buttons, and a link to the cookie policy.

   • If absent — manual implementation belongs to the security & compliance phase (Phase 7). Log it as a TODO in the task ledger and return to it there.

   • ✅ The banner is enabled (or its absence is logged as a Phase 7 TODO).

2. Verify in incognito — the banner appears on first visit, and “reject” actually suppresses non-essential cookies.

   • ✅ Incognito shows the banner on first visit and “reject” is honoured.

Hard dependency — consent must gate analytics before launch

The GA4 tag you wire on the next page fires unconditionally until this banner gates it. For EU / UK / KSA / UAE compliance, production launch must gate analytics (and any pixels) on user consent. Flag this Task 66 → Task 63 dependency in your follow-ups queue now so it isn’t forgotten at cutover.

2. Publish the Privacy Policy

CHECK: Admin → Settings → Privacy (or Pages → Privacy Policy). Generating the legal text and pasting it are person-driven.

Who does this

👤 User generates the Privacy Policy from a reputable generator (tuned to jurisdiction + data practices) and pastes it into the panel — authoring legal copy is a human responsibility, not an agent task.

1. Paste or defer the Privacy Policy.

   • If present — paste the generated Privacy Policy text and save.

   • If absent — create a blade view + route manually (a code task; track it for the relevant phase).

   • ✅ The policy is saved (or the manual code task is tracked).

2. Verify — navigate to /privacy-policy (or the vendor’s equivalent slug); the page renders with your content, not vendor placeholder text.

   • ✅ /privacy-policy renders your real content.

3. Publish the Terms of Service

CHECK: Admin → Settings → Terms (or Pages → Terms of Service). Same generator + jurisdiction as the Privacy Policy.

Who does this

👤 User generates the Terms (same generator + jurisdiction as §2) and pastes them into the panel — legal copy a person authors and saves.

1. Paste or defer the Terms.

   • If present — paste the generated Terms and save.

   • If absent — create the view + route manually.

   • ✅ The Terms are saved (or the manual code task is tracked).

2. Verify — navigate to /terms-of-service; the page renders with the correct content, and the footer/signup links point to it.

   • ✅ /terms-of-service renders and is linked from footer + signup.

Checklist

Do not mark this step done until every box below is checked.

• 👤 Banner enabled — cookie/GDPR banner enabled (or deferred to Phase 7 and logged); incognito shows the banner on first visit and “reject” is honoured.
• 🔀 GDPR boundary checked — the public funnel’s consent is configured separately from any tenant-facing vendor module.
• 👤 Privacy Policy live — populated with real generated text; /privacy-policy renders correctly.
• 👤 Terms live — populated; /terms-of-service renders and is linked from footer + signup.
• 🔀 Dependency queued — Task 66 → Task 63 (consent gates analytics before production) is queued in the follow-ups ledger.

→Next step

7 · Theme & system pages