Cookie Consent Management

Effective Date: April 10, 2026
Jurisdiction: State of Washington, United States
Last Updated: April 10, 2026

1. Overview and Purpose

This document describes Slumbering Forest LLC's ("SForest," "we," "us," "our") cookie consent management process, governance framework, and compliance procedures for managing user consent for cookies, pixels, beacons, and similar tracking technologies on the SForest Platform.

This process ensures compliance with:

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
State privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, etc.)
General Data Protection Regulation (GDPR) - for EU/EEA/UK users
UK Data Protection Act 2018
Best practices for user consent and transparency

This Cookie Consent Management Process should be read alongside the Cookie Notice (https://sforest.io/legal/cookie-notice) for detailed information about specific cookies used.

SForest implements cookie consent management based on:

Regulatory Requirements: GDPR, CCPA/CPRA, and state privacy laws require explicit consent for certain cookies
Best Practices: Industry standards recommend transparent, granular consent for tracking
User Rights: Users have the right to control what cookies are set on their devices
Transparency: Clear disclosure of cookie purposes and use

The following cookie categories require explicit user consent:

Performance/Analytics Cookies: Tracking user behavior and engagement
Functional Cookies: Enhanced features and personalization beyond basics
Targeting/Advertising Cookies: Personalized ads and conversion tracking

The following do NOT require consent (but still require clear disclosure):

Essential/Strictly Necessary Cookies: Required for basic Platform functionality

SForest adheres to these consent principles:

Valid Consent: Freely given, specific, informed, unambiguous, affirmative
Granular Consent: Users can accept/reject specific cookie categories
Withdrawal: Consent can be withdrawn as easily as given
Transparency: Clear disclosure of cookie use before consent
No Dark Patterns: Reject option equally prominent as accept
Records: Consent decisions documented and auditable

SForest displays a cookie consent banner on first visit to the Platform:

Banner Placement:

Displayed prominently on home page and major entry points
Appears before non-essential cookies are set
Remains visible until user takes action
Not dismissible by clicking outside or pressing Escape (must choose option)

Banner Content:

Clear explanation of cookie use
Description of cookie categories
Links to detailed Cookie Notice
Options for granular consent

Banner Design:

Plain, readable text (no misleading colors or fonts)
Clear options: Accept All, Reject Non-Essential, Customize
"Customize" option equally prominent as "Accept"
Link to Cookie Preferences for future changes

3.2 Banner Content and Transparency

The banner includes:

"This site uses cookies and similar technologies"
Overview of cookie types: Essential, Performance, Functional, Targeting
Purpose statement: "to improve your experience, analyze usage, and provide personalized ads"
Link to Cookie Notice with detailed information
Explanation of each category and its purpose
Clear statement of what happens if user rejects cookies

Example banner text:

"We use cookies and similar technologies to:
- Ensure the Platform works properly (Essential)
- Understand how you use our Platform (Performance)
- Remember your preferences (Functional)
- Show you personalized ads (Targeting)

You can accept all cookies, reject non-essential cookies,
or customize your preferences. See our Cookie Notice for details.

Users can select consent granularly:

Option 1: Accept All Cookies

Accepts all Essential, Performance, Functional, and Targeting cookies
Fastest option for users accepting all tracking

Option 2: Customize Preferences

Opens Cookie Preference Center
Allows selection of specific cookie categories
Essential always enabled (cannot be rejected)
Performance, Functional, Targeting can be toggled independently
Save preferences and return to Platform

Option 3: Reject Non-Essential

Accepts only Essential cookies
Rejects Performance, Functional, and Targeting
No additional tracking beyond basic functionality

For Users With Existing Consent:

Banner does not reappear if valid consent on record
Banner appears if preferences not yet set
"Manage Preferences" link available in footer

For New Users:

Banner appears on first visit
Must take action (Accept All, Customize, or Reject)
Page may not be used until consent provided
Links available to review Cookie Notice

After Cookie Clearing:

If user clears cookies, consent record may be cleared
Banner reappears on next visit
User must provide consent again

When a user makes a consent decision, SForest records:

User Identifier: Unique user ID (anonymized if not logged in)
Consent Timestamp: Date and time consent was provided
Consent Choices: Specific categories accepted/rejected
Cookie Version: Which version of Cookie Notice user consented to
IP Address: For record-keeping and fraud prevention
Device/Browser: Device type and browser information
Referer: How user accessed the Platform
Consent Method: Banner selection, preference center, API, etc.

Consent decisions are stored in:

HTTP Cookie: Persistent cookie marking consent provided (1 year)
Browser Local Storage: JavaScript object with consent details
Backend Database: Detailed record linked to user account/device
Analytics: Consent status tracked in analytics systems

Encryption and Security:

Backend records encrypted in transit (HTTPS/TLS)
Sensitive data encrypted at rest (AES-256)
Access limited to compliance and analytics teams
Records retained 7 years for audit purposes

For Logged-In Users:

Consent preferences linked to user account
Same preferences apply across devices/browsers
User can manage preferences through account settings

For Logged-Out Users:

Consent recorded per device/browser
Different devices have independent consent records
Users can update preferences per device

SForest implements jurisdiction-specific consent models:

European Union/EEA/UK:

Model: Opt-in for non-essential cookies
Method: Explicit consent required BEFORE cookies set
Banner: Prominent, with reject option equally available
Withdrawal: Easy, clear withdrawal mechanism
Policy: GDPR Article 7 compliant consent

California (CCPA/CPRA):

Model: Opt-out for targeted advertising and profiling
Method: "Do Not Sell My Personal Information" mechanism
Banner: Consent for performance/analytics; opt-out for targeting
Tracking: Performance cookies may be set pending consent
Opt-Out Rights: Must honor within 45 days

Other US States (VA, CO, CT, DE, IN, IA, ME, MT, NV, NH, TN, UT):

Model: Opt-out for targeted advertising and automated decision-making
Method: "Opt Out of Targeted Advertising" link in footer
Banner: Consent recommended; opt-out required
Tracking: Limited tracking may proceed pending consent
Rights: Granular controls for ad targeting, profiling, analytics

Rest of World (Default):

Model: Opt-out with transparency
Method: Consent banner with clear options
Banner: Information provided; limited auto-tracking
Tracking: Non-intrusive tracking permitted pending consent
Rights: Full data subject rights honored per applicable law

5.2 Geographic Detection

SForest detects user location through:

IP Address: Primary geographic identifier (city/state/country)
User Account: If user logs in with location data
User Input: If user selects location/jurisdiction
Geolocation API: If user grants browser permission

Location accuracy: IP geolocation is accurate to country/state level but may have limitations.

5.3 Jurisdiction Conflicts

If a user's location is unclear or crosses jurisdictions:

Most protective rule applies (typically GDPR standards for EU uncertainty)
User has right to request specific jurisdiction's rules
SForest defaults to higher privacy protection if uncertain
User can override auto-detected location in preferences

6. Opt-In vs. Opt-Out by Jurisdiction

6.1 Opt-In Model (EU/EEA/UK)

GDPR Requirement: Explicit, affirmative consent required BEFORE non-essential cookies set

Implementation:

No non-essential cookies set until consent provided
Banner displayed prominently on entry
Require active selection (no pre-checked boxes)
"Reject" option as prominent as "Accept"
Can toggle specific categories on/off
Consent must be renewed if cookies expire
Withdrawal available at any time

User Actions:

Click "Accept All" → All cookies enabled
Click "Customize" → Select specific categories
Click "Reject Non-Essential" → Only Essential cookies
Banner persists until action taken

Technical Implementation:

Essential cookies set immediately (no consent needed)
Non-essential cookies set ONLY after consent received
Consent recorded in backend and browser
Banner re-triggered if consent expired or cleared

6.2 Opt-Out Model (California/Other US States)

CCPA/CPRA Requirement: Right to opt-out of sale/sharing and targeted advertising

Implementation:

Limited tracking may proceed pending opt-out decision
"Do Not Sell My Personal Information" link prominently displayed
"Opt Out of Targeted Advertising" mechanism available
Opt-out recorded immediately upon selection
Annual affirmation of opt-out status required

User Actions:

Accept cookies and ads → Targeted advertising enabled
"Opt Out of Targeted Advertising" → Ad targeting disabled
"Do Not Sell My Personal Information" → No data sale/sharing
Preferences accessible in account settings

Technical Implementation:

Some tracking proceeds pending opt-out (analytics, essential)
Targeting cookies not loaded if opt-out detected
Opt-out status checked before personalizing ads
Opt-out honored for 13 months before re-confirmation needed

6.3 Comparison Table

Aspect	Opt-In (EU/EEA/UK)	Opt-Out (US)
Default	No non-essential tracking	Limited tracking allowed
Consent Required	Yes, explicit & affirmative	No, but transparency required
Pre-checked Boxes	Not allowed	Not allowed
Timing	Before cookies set	Can track pending opt-out
Burden	On SForest to obtain consent	On user to opt-out
Enforcement	Strict (GDPR fines 4% revenue)	Moderate (CCPA fines $100-$7,500/violation)
Tracking	Minimal until consent	Permitted unless opted out

Users can withdraw consent anytime:

Methods:

Use Cookie Preference Center (footer link)
Access cookie preferences in account settings (if logged in)
Email [email protected] with withdrawal request
Click "Manage Preferences" in any consent banner

Withdrawal Effects:

Previously set cookies removed from device (cleared on next page load)
No new cookies from withdrawn categories set
Existing data collected under prior consent retained (with privacy law exceptions)
Analytics of past behavior retained (anonymized)
Withdrawal effective immediately

Withdrawal Confirmation:

User receives confirmation of withdrawal
Preference updated in user account
Backend records updated
Next website visit reflects new preferences

7.2 Changing Specific Preferences

Users can adjust individual categories:

Granular Controls:

Essential: Locked (cannot disable)
Performance: Toggle on/off independently
Functional: Toggle on/off independently
Targeting: Toggle on/off independently

Persistent Preferences:

Logged-in users: Preferences saved to account
Logged-out users: Preferences saved to device
Changes synced across devices for logged-in users
Changes effective on next page load

Preference Expiration:

Preferences retained for 13 months
Annual re-confirmation may be required (GDPR compliance)
If preferences expire, banner reappears
User must re-confirm preferences

Annual Re-Confirmation (GDPR):

After 12 months, consent may be re-requested
Material changes to cookie use require renewal
Banner appears with updated information
User must affirmatively re-consent

Triggered Re-Confirmation:

New cookies added to a category
Significant changes to cookie purposes
Cookie policy updates
Sub-processor changes

Grandfathered Consent:

Existing consent remains valid if no material changes
No re-confirmation needed for unchanged practices
SForest maintains consent dates and versions

8. Technical Implementation

SForest uses the following technologies for consent management:

Primary CMP (Consent Management Platform):

Planned: OneTrust (industry-leading CMP)
Alternative: TrustArc or Cookiebot
Self-built: Custom consent system with CMP-like functionality
Feature parity with major CMPs (consent collection, granularity, audit trails)

Implementation Details:

Banner code injected on all pages before tracking scripts load
Banner blocks non-essential scripts until consent provided
Consent data stored in encrypted backend database
Cookie consent flags set/checked on each page load

8.2 Script Blocking and Conditional Loading

SForest blocks scripts based on consent:

Script Loading Flow:

Page loads; CMP banner displays
Essential scripts load immediately (no consent needed)
Non-essential scripts blocked until consent received
User selects consent preference
Only selected category scripts load
Page reload or script injection loads new scripts
Subsequent pages load only consented scripts

Scripts by Category:

Category	Scripts Blocked	Scripts Loaded
Essential	None	Session, auth, CSRF, load balancer
Performance	Google Analytics, Mixpanel, Hotjar	If consented
Functional	Enhanced feature libraries	If consented
Targeting	Google Ads, Facebook Pixel, LinkedIn	If consented

SForest maintains a Consent Record API for internal use:

POST /api/consent/record
{
  "user_id": "user123",
  "timestamp": "2026-04-10T14:30:00Z",
  "decisions": {
    "essential": true,
    "performance": false,
    "functional": true,
    "targeting": false
  },
  "version": "1.2",
  "method": "banner_selection"
}

API Usage:

Record consent decisions from banner/preference center
Query user consent status on backend
Update consent status
Generate compliance reports

Consent decisions persisted across:

Browser Sessions: Persistent cookie + localStorage
Device Sessions: Backend database linked to user/device
Account Sessions: Linked to user account (if logged in)
Data Retention: 7 years for audit and compliance

9. Compliance Monitoring and Auditing

9.1 Compliance Checks

SForest implements monitoring to ensure compliance:

Automated Checks:

Audit scripts verify essential-only cookies loaded before consent
Verify non-essential cookies blocked until consent given
Verify consent choices honored (no cookies set against user choice)
Log non-compliance instances

Manual Reviews:

Quarterly compliance audits
Testing from different jurisdictions
Testing from fresh devices (no prior consent)
Testing consent withdrawal and changes

9.2 Compliance Reports

SForest maintains compliance documentation:

Reports Generated:

Monthly consent statistics (consent rate, categories selected)
Non-compliance incident log
User consent preference distributions
Cookie blocking effectiveness

Audit Trail:

Records of all consent decisions (timestamp, choices, method)
Changes to consent management system
Updates to Cookie Notice and cookie list
Training records for compliance team

9.3 Third-Party Compliance Audits

SForest undergoes external audits:

Annual Audits: Third-party CMP/privacy auditor
SOC 2 Type II: Security and privacy controls audit (includes consent)
GDPR Compliance: External data protection consultant review
CCPA Compliance: California privacy law compliance review

Material changes trigger re-consent requirement:

Material Changes:

Addition of new cookies to any category
Change in cookie purpose or use
Change in data retention period
Introduction of new tracking methods
Changes to third-party Sub-Processors
Privacy policy updates affecting cookies

Non-Material Changes:

Cookie duration extension (for same purpose)
Technical improvements to existing cookies
Clarification in Cookie Notice language
Sub-Processor swaps (same function, same privacy level)

10.2 Notice of Changes

For material changes:

Banner appears on next visit with "Updated Cookie Notice"
Email notification sent to logged-in users
New Cookie Notice version published with effective date
30-day transition period (old consent respected, then re-confirmation)
Users must re-confirm consent to continue

10.3 Version Control

SForest maintains version control for:

Cookie Notice (version history and effective dates)
Cookie Consent Management Process (this document)
Cookie list (which cookies included in each version)
Consent framework changes

11. User Rights and Data Subject Requests

Users have the right to:

Know: Request information about cookies SForest uses
Access: Receive copy of consent records
Delete: Request deletion of consent records and cookie data
Correct: Request correction of cookie data
Opt-Out: Withdraw consent or opt-out of specific categories
Portability: Receive consent records in portable format
Not Discriminate: Not be penalized for exercising rights

11.2 Handling Data Subject Requests

SForest processes cookie-related data subject requests:

Access Requests:

Provide list of cookies used
Provide user's consent records and choices
Provide copies of consents given
Timeline: 30 days

Deletion Requests:

Delete user's consent records (except as required by law)
Clear user's consent cookies
Delete cookies from device (user may need to clear browser)
Timeline: 30 days

Withdrawal Requests:

Process consent withdrawal immediately
Update user preferences
Stop loading cookies from withdrawn categories
Timeline: Immediate

Contact: [email protected]

12. Special Populations

12.1 Minors and Children

SForest does NOT:

Intentionally collect data from minors under 18
Obtain consent from minors for cookies
Track minors for targeting/advertising
Sell minors' personal data
Process biometric or health data of minors

Age Verification:

Platform restricted to 18+ users
Age verification occurs during account creation
Accounts of minors are terminated

12.2 COPPA Compliance (if applicable)

If SForest collected data from US children under 13 (not intended):

Would comply with Children's Online Privacy Protection Act (COPPA)
Would obtain parental consent
Would not use cookies for tracking/targeting
Would delete children's data promptly

Current Status: Not a children's platform; COPPA does not apply.

13. Contact Information

For questions about cookie consent management:

Slumbering Forest LLC
Privacy Officer
Email: [email protected]
Website: https://sforest.io

Mailing Address:
1420 5TH AVE STE 2200
SEATTLE, WA 98101-1346

To manage cookie preferences or withdraw consent:

Use Cookie Preference Center: https://sforest.io/cookie-preferences
Or email: [email protected] with subject "Consent Withdrawal"

13.3 Regulatory Authority

To file a complaint with a data protection authority:

California Attorney General: https://oag.ca.gov/
US FTC: https://reportfraud.ftc.gov/
EU Data Protection Authority: [Your jurisdiction's DPA]
UK ICO: https://ico.org.uk/

14. Amendments to This Process

14.1 Process Updates

SForest may update this Cookie Consent Management Process:

Updates posted with effective date
Material changes require user notification
No retroactive changes to past consent decisions

14.2 User Notification

For material updates:

Banner notification on next visit
Email to registered users (if logged in)
30-day implementation period
Continued use = acceptance of updates

A.1 Banner Text (US Default - Opt-Out Model)

We use cookies and similar technologies to improve your experience,
analyze how you use our Platform, and provide personalized content
and advertising.

Cookie Categories:
- Essential: Required for Platform functionality
- Performance: Analyze usage and improve services
- Functional: Remember your preferences
- Targeting: Show you relevant ads

Learn more about our cookie practices in our Cookie Notice.

[ Accept All ]  [ Customize ]  [ Reject Non-Essential ]

A.2 Banner Text (EU - Opt-In Model)

We use cookies and similar technologies. Some are essential for
the Platform to work. Others help us understand how you use our
Platform and provide personalized ads.

You have the right to accept or reject cookies other than essential.

[ Accept All ]  [ Customize ]  [ Reject Non-Essential ]
[ View Cookie Notice ]

A.3 Customize Preferences Template

Manage Your Cookie Preferences

Essential Cookies (Always On)
These cookies are necessary for the Platform to function properly.
They include session cookies, authentication, and security features.
[ ON ] Cannot be turned off

Performance Cookies
These cookies help us understand how you use the Platform so we can
improve it. They track page views, features used, and general
engagement.
[ ON ]  [ OFF ]

Functional Cookies
These cookies remember your choices and preferences to provide a
more personalized experience.
[ ON ]  [ OFF ]

Targeting Cookies
These cookies enable personalized advertising and track conversions.
They may be shared with advertising partners.
[ ON ]  [ OFF ]

[ Save Preferences ]  [ Accept All ]  [ Reject Non-Essential ]

Record Type	Retention Period	Legal Basis
Consent decisions	7 years	Tax/compliance requirement
Audit logs	7 years	Regulatory and audit
Consent timestamps	7 years	Proof of compliance
Category selections	7 years	Audit trail
Withdrawn consents	7 years	Compliance history
User preferences	13 months	Active consent period

User Visits Platform
        ↓
Location Detected (IP, account)
        ↓
Consent on Record?
    ├─ YES → Skip banner, load consented cookies
    └─ NO → Display consent banner
        ↓
    User Selects Preference
        ├─ Accept All → Load all cookies
        ├─ Customize → Load selected categories
        └─ Reject Non-Essential → Load essentials only
        ↓
    Record Consent Decision
        ↓
    Load Appropriate Cookies
        ↓
    User Navigates Platform
        ↓
    User May Withdraw/Change Preferences
        ├─ Access Preference Center
        ├─ Update choices
        └─ Reload page with new cookies

Acknowledgment

By using the SForest Platform, you acknowledge:

You have read this Cookie Consent Management Process
You understand your cookie choices and rights
You will manage your preferences through available tools
You may contact [email protected] with questions

Cookie Consent Management

Cookie Consent Management Process

1. Overview and Purpose

2. Consent Framework Overview

2.1 Legal Basis for Consent

2.2 Cookies Requiring Consent

2.3 Consent Standards

3. Consent Collection Mechanism

3.1 Consent Banner/Pop-up

3.2 Banner Content and Transparency

3.3 Granular Consent Options

3.4 Consent Banner on Subsequent Visits

4. Consent Decision Recording and Storage

4.1 Consent Record Details

4.2 Consent Storage

4.3 Cross-Device and Cross-Browser Consent

5. Consent Implementation by Jurisdiction

5.1 Default Consent Model by Region

5.2 Geographic Detection

5.3 Jurisdiction Conflicts

6. Opt-In vs. Opt-Out by Jurisdiction

6.1 Opt-In Model (EU/EEA/UK)

6.2 Opt-Out Model (California/Other US States)

6.3 Comparison Table

7. Consent Withdrawal and Changes

7.1 Withdrawal of Consent

7.2 Changing Specific Preferences

7.3 Re-Confirmation of Consent

8. Technical Implementation

8.1 Cookie Consent Technology Stack

8.2 Script Blocking and Conditional Loading

8.3 Consent Record API

8.4 Cookie Consent Persistence