Cookies and CMP System Policy

1) Purpose and area

Establish uniform rules for legal storage/reading of identifiers (cookies, local storage, SDK) and consent management via CMP in all surfaces: web, iOS/Android, e-mail/SMS/push, affiliate landing pages, streams. The document complements: "GDPR: Consent Management," "Age Verification," "Advertising Standards."

2) Legal basis (brief)

ePrivacy: any non-strict necessary cookies/SDK - only after consent. "Strictly necessary" (authentication, basket/balance, security/anti-fraud) - allowed without consent.
GDPR: consent as a legal basis for processing (Art. 6(1)(a)); for service operations - contractual need (Art. 6(1)(b)); legitimate interest - limited and with the right to object.
Children/vulnerable: marketing/personalisation IDs - banned.

3) Principles

1. Prior Consent: no unnecessary tags prior to selection in CMP.
2. Separation of goals: analytics, personalization, marketing, remarketing, geolocation, A/B - separate toggle switches.
3. Feedback = on click: as simple as consent; instantaneous termination of processing.

4. No dark patterns: equal visibility "Accept All "/" Reject All "/" Customize."

5. Provability: text versions, hashes, UI screenshots, firing rule logs.
6. Minimization/localization: we put and store only what is needed in acceptable regions.

4) Roles and RACI

DPO/Compliance (Owner) - policy, DPIA, responses to complaints. (A)

Legal - texts, local requirements and retention periods. (R)

Product/UX - banners/panels, availability and locales. (R)

Engineering/CMP Owner - tag locks, SDK, API, versions. (R)

Data/Analytics - de-identification modes, measurement taking into account consents. (C)

CRM/Ads - suppression by withdrawn consents. (R)

InfoSec - encryption, keys, access to consent logs. (C)

Internal Audit - evidence samples, CAPA. (C)

5) Cookie/SDK taxonomy

• Session/authentication, balance/basket, fraud protection and load distribution, privacy selection.

• Analytics (user-level, cross-device ID).
• Personalization (content/games, recommendations).
• Marketing (e-mail/SMS/push - channels separately).
• Remarketing/Ads (third-party pixels/SDKs).
• A/B testing (if using identifiers).
• Geolocation "city/region" (non-strict).

6) CMP: UX patterns and texts

First layer (banner): short goal, 3 equivalent buttons: Reject all/Customize/Accept all.
Second layer (panel): target toggle switches, list of vendors and shelf life, link to policy.

Preference center: in the player's profile - channel marketing flags (e-mail/SMS/push/phone), "unsubscribe from everything."

Accessibility: AA + contrast, focus trap, screen-readers, localization, mobile adaptation.
GPC/Do Not Track: global signal = reject all (except strictly necessary).
Apps: in-app CMP + system OS-prompts; Synchronize with server profile.

7) IAB TCF 2. 2 (framework)

Generation and storage of TC-lines, vendor list version, target mapping ↔ our flags.
Blocking third tags until a TC (prior consent) is received.
Respect for permits/prohibitions for each vendor and target.
For markets outside TCF - custom CMP with similar logging.

8) Tags, Tag Manager and Server-side

Deny by default: rules in TM block all unnecessary tags until consent.
Server-side tagging: proxy loop with zeroing/masking of identifiers in the absence of consent; the configuration is stored in the permitted region.
SDK Gates - Initialize Marketing/Analytics SDKs only when the target is true.
Firing logs: who/what/when "shot," under what status of consent.

9) Data, artifacts and retention (minimal model)

consent_id, user_id/device_id, market, locale,
ui_variant_id, policy_version, tcf_string, vendors[],
purpose_id, status{accept    deny    withdraw}, source{web    app    sdk    api},
captured_at_utc, ip_hash, ua_hash, gpc{true    false},
evidence{banner_screenshot_id, copy_hash}, expires_at

WORM logs of consents/reviews, versions of texts, screenshots of UI variants.
Retention: while the goal/relationship is valid + local deadlines; marketing - limited (often ≤ 24 months of inactivity).

10) Integrations: CRM/Ads/Affiliates

Suppression: revocation → instant deactivation of channels and remarketing (near-real-time + night batches).
E-mail/SMS: sending only when explicitly true for the channel (double opt-in by market).
Affiliates: leads without CIW/valid consent status - do not qualify; version/hash conditions - required.

11) Regional profiles (template)

Market: ______
Required banner elements:...
Retention and localization:...
Requirements for TCF/vendor lists:...
GPC/DNT status:...
Documents/mandatory links:...

12) Control, tests and audit

CI linter: check for Reject All, GPC processing, tag blocking until consent.
E2E tests: accept/deny/within scripts → checking firing logs and suppression in CRM.
Samples: quarterly audit of consent records and UI screenshots; versioning texts.
Incidents: any launch of a tag without consent → immediate takedown, reason/fix, CAPA.

13) KPI/KRI and dashboard

Opt-in Rate by Target/Market/Device.
Withdraw Rate and Time-to-Apply (median).
GPC Honor Rate (correct globe processing. signal).
Tag Firing Violations (per 1k downloads).
Suppression Integrity (Recall Marketing = 0).
Complaint Rate / Reg Findings.
Auditability Score (% of records with full package of artifacts).

14) Checklists

Before launch

• Reject All banner, locales, AA + availability.
• Target categories and vendor list agreed (Legal/DPO).
• Tag Manager: deny-by-default; SDK gates.
• GPC is recognized and applied.
• Preference center with channel flags and "unsubscribe from everything."
• WORM evidence storage is enabled.

In operations

• Monitor firing violations and GPCs.
• CRM/Ads suppression reconciliation.
• DSAR returns the current status and log.

Audit/Improvement

• Quarterly samples of consents and UI screenshots.
• A/B review of the banner for the absence of dark patterns.
• Update regional profiles and texts.

15) Templates (quick inserts)

A) Banner (first layer)

B) Panel (target "Remarketing/Ads")

key> Allow IDs to display personalized ads on external sites. Without this, we will not use third-party pixels/SDKs.

C) Withdrawal of consent (confirmation)

key> Your settings have been updated. Personalized ads and marketing IDs are disabled. You can still play and use the service.

D) Response to "impossible to refuse" complaint

16) Technical framework and events

События: `cmp_banner_shown`, `consent_given/denied/withdrawn`, `gpc_detected`, `tag_fired_blocked`, `sdk_initialized/blocked`, `marketing_unsubscribed`, `dsar_fulfilled`.

• `GET /consents? user_id=…`
• `POST /consents` (create/withdraw/update)
• `POST /marketing/preferences`
• `POST /gpc/signal`
• Infrastructure: server cache of consents, geo-binding of logs, masking identifiers when deny.

17) Risks and prevention

Run tags before consent. → Deny-by-default, E2E tests, alarms.
Dark patterns in the banner. → Design review, equal visibility of buttons.
Status mismatch in CRM/Ads. → a single suppression service and daily reconciliations.
Collecting unnecessary identifiers. → Minimization, masking, regional profiles.
Lack of evidence. → Screenshots/hashes/logs in WORM.

18) 30-day implementation plan

Week 1

1. Approve the taxonomy of cookies/targets and texts (locales); DPIA.
2. Select/configure CMP (TCF 2. 2 + custom targets), enable GPC.
3. Specify the data/artifact model, WORM storage.

Week 2

4) Implement deny-by-default in Tag Manager, server cache of consents, SDK gates.
5) Build a preference center (channel flags, "unsubscribe from everything").
6) Set up suppression in CRM/Ads and affiliate feeds.

Week 3

7) Pilot for 10-20% of traffic: Opt-in/Withdraw/GPC Honor, firing logs test.
8) Fixes to UX/Copyright/TM Fidbeck and Incident Rules.

Week 4

9) Full release; enable KPI/KRI dashboard and alerts.
10) Quarterly audit and CAPA plan.
11) Plan v1. 1: server-side tagging for all markets, auto-reporting by consent.

• GDPR: user consent management
• Age verification and age filters
• Advertising standards and prohibitions/Disclaimers and truthfulness of advertising
• Transparency of bonus conditions
• Localization of data by jurisdictions
• Compliance Dashboard and Monitoring/Internal and External Audit