Categories & Regions
Learn how ConsentStack uses categories and regions to apply the right consent rules for every visitor automatically.
ConsentStack uses two building blocks to decide how consent works on your site: categories (what you collect) and regions (where your visitors are). Together, they determine which consent rules apply to every visitor automatically.
Categories
A category is a group of cookies or scripts that share a common purpose. When a visitor makes a consent choice, they accept or reject an entire category at once — not individual cookies.
Built-in categories
ConsentStack ships with three default categories:
| Category | Purpose | Requires consent? |
|---|---|---|
| Essential | Cookies your site needs to function (session cookies, security tokens) | No — always active |
| Analytics | Help you understand how visitors use your site (page views, traffic sources) | Yes |
| Marketing | Used to deliver personalized ads and track campaigns | Yes |
A fourth built-in category, Functional (enhanced features like chat widgets and saved preferences), is available but not included by default. You can add it in the Config Builder.
Essential vs. optional
Essential categories are always active. Visitors cannot disable them, and they do not appear as toggles in the preferences panel. Every other category is optional — visitors can accept or reject it, depending on the consent rules for their region.
Custom categories
Need something more specific? You can create custom categories (like "Social Media" or "Personalization") that work exactly like the built-in ones. Add them in the Config Builder's compliance tab.
Regions
A region is a geographic grouping tied to a privacy regulation. ConsentStack detects where each visitor is located and matches them to the right region — no configuration needed on your part.
Built-in regions
| Region | Covers | Regulation |
|---|---|---|
| GDPR | 32 countries — the EU, EEA, UK, and Switzerland | GDPR / UK GDPR |
| US State Privacy Laws | 18 US states with privacy legislation (California, Virginia, Colorado, Texas, and more) | CCPA, VCDPA, CPA, and others |
| Everyone else | All countries and states not covered above (the default) | No specific regulation |
The "Everyone else" region acts as a catch-all. Any visitor who does not fall into a more specific region is handled here.
How categories and regions work together
Each category has a consent model that can vary by region. The consent model controls what the visitor sees and whether scripts run before consent is given.
Here are the defaults:
| Category | GDPR | US State Laws | Everyone else |
|---|---|---|---|
| Essential | Exempt | Exempt | Exempt |
| Analytics | Opt-in | Per-state | Notice-only |
| Marketing | Opt-in | Per-state | Notice-only |
What each model means for your visitors:
- Exempt — No consent needed. Scripts run immediately. The category does not appear in the preferences panel.
- Opt-in — Scripts are blocked until the visitor actively accepts. They see Accept and Reject buttons.
- Per-state — ConsentStack checks which US state the visitor is in and applies the correct model for that state's law automatically.
- Notice-only — An informational banner with an Acknowledge button. Scripts run by default.
You do not need to memorize these rules. ConsentStack applies the right model for each visitor based on their location — your defaults are already compliant out of the box.
Customization
The defaults cover the most common setup, but you have full control:
- Add custom categories to match how your site uses cookies (e.g., "Social Media", "A/B Testing").
- Add custom regions if you need to treat a specific country or group of countries differently.
- Override any rule in the matrix. For example, you could set Analytics to opt-in everywhere, or set a stricter model for a specific region.
All of these changes are made in the Config Builder's compliance tab.
What's next
- Banner & Preferences — Learn how the consent banner and preferences panel appear to your visitors.