What templates are available?

Fifteen free templates across six types: 5 cookie banner texts (Germany TDDDG (formerly TTDSG, renamed May 2024), France CNIL, Italy Garante, UK PECR, US 'Do Not Sell or Share My Personal Information' link), 3 privacy policies (EU/EEA baseline, US multi-state, Brazil LGPD), 2 cookie policies (EU baseline, UK PECR), 2 DSR reply skeletons (GDPR Art 15, CCPA/CPRA), 2 Consent Mode v2 init snippets (EU default-deny + multi-region), and a DPIA skeleton for analytics deployments. Each is drafted against the named statute and the relevant regulator's published guidance — none are warranted as compliant with current enforcement posture.

Are these templates legal advice?

No. Each template is editorial reference — a starting point that an analytics or compliance team can adapt to its facts. Statutory citations are accurate as of the last_reviewed date on each template, but specific deployment, contract, and breach scenarios should be reviewed by qualified counsel admitted in the relevant jurisdiction.

How are templates scoped?

Each template carries a scope_law (the primary statute it's drafted against — GDPR, ePrivacy, PECR, CCPA/CPRA, LGPD) and an optional scope_jurisdiction (a specific market — Germany, France, Italy, United Kingdom, California, Brazil). Templates without a jurisdiction are baseline-region drafts that you adapt market by market.

What do the assumptions on each template mean?

Every template has an `assumptions` block listing the prerequisites you should have in place before using it — typically: a current processor list, an active CMP that supports the relevant region, existing cookie inventory, and that your facts match the template's scope. If your facts differ, you adapt the template; you do not deploy it as-is.

Can I use these templates in production?

Yes — they are published under SetupAnalytics's editorial-reference licence (free to copy, adapt, and deploy). The site does not warrant accuracy or currency, and templates do not establish a lawyer-client relationship. In practice, many teams treat them as a starting scaffold and route the final pass — fact-fitting, processor-list reconciliation, and jurisdiction-specific adaptation — through counsel admitted in the relevant jurisdiction.

Privacy & Cookie Templates — Free Banner Texts, DPIA, DSAR Replies

Name: SetupAnalytics Privacy Compliance Templates
Creator: SetupAnalytics

Drop-in banner copy scoped to a regulator.

2 vars

Cookie banner text · France · CNIL-aligned

FR: Nous utilisons des cookies pour faire fonctionner ce site. Avec votre accord, nous utilisons aussi des cookies pour la mesure d'audience et la personnalisation. Vous pouvez retirer votre consentem…

Scope law ePrivacy

Jurisdiction France

Assumes CNIL Lignes directrices and Recommandation, both adopted 17 September 2020 (compliance deadline March 2021). Reject-all has equal visual weight (same size, same colour weight) per CNIL délibération 2020-091. 13-month consent validity max.

2 vars

Cookie banner text · Germany · TTDSG-compliant

DE: Wir nutzen Cookies und ähnliche Technologien, um die Funktionsweise unserer Website zu gewährleisten. Mit Ihrer Einwilligung verwenden wir auch Cookies für Analyse und personalisierte Inhalte. Sie…

Scope law GDPR

Jurisdiction Germany

Assumes Drafted against the German TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz, 2021), renamed to TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) effective 14 May 2024 — substantive consent rules unchanged. Assumes (a) all cookies blocked until user clicks Accept or Preferences→Save, (b) reject-all sets analytics_storage and ad_storage denied via Consent Mode v2.

1 vars

Cookie banner text · Italy · Garante-aligned

IT: Utilizziamo cookie per il funzionamento del sito. Con il tuo consenso, utilizziamo cookie anche per analisi e personalizzazione. Puoi revocare il consenso in qualsiasi momento. Maggiori informazio…

Scope law ePrivacy

Jurisdiction Italy

Assumes Garante Linee guida cookie e altri strumenti di tracciamento, provvedimento del 10 June 2021. Equal-weight reject button mandatory. Max 6 months for the consent record (Garante stricter than CNIL's 13-month standard). No use of dark patterns; no scroll-as-consent.

2 vars

Cookie banner text · United Kingdom · PECR + UK GDPR

EN-GB: We use cookies to make this site work. With your consent, we also use cookies for analytics and personalisation. You can change your preferences at any time. See our Privacy notice(/privacy/) a…

Scope law PECR

Jurisdiction United Kingdom

Assumes ICO cookies guidance (updated 2023). Reject-all required at the same level as Accept. ICO does not enforce a fixed consent duration but expects "reasonable" — typically 6-12 months for marketing cookies.

3 vars

Do Not Sell or Share My Personal Information · CCPA/CPRA link

HTML (footer link): Do Not Sell or Share My Personal Information Page /privacy/dont-sell-or-share/ — minimum content: Do Not Sell or Share My Personal Information You have the right under the Califor…

Scope law CCPA/CPRA

Jurisdiction California

Assumes CPRA §1798.135 — link in footer or homepage. GPC signal recognition is mandatory for CPRA-covered businesses (Cal AG settlement against Sephora 2022). 15-business-day acknowledgment for opt-outs.

Privacy policies · 3

Transparency-clause scaffolds per statute.

Privacy policies 12 vars

Política de Privacidade · Brasil (LGPD)

Política de Privacidade Data efetiva: {{dataefetiva}} Última revisão: {{ultimarevisao}} Esta política cumpre o dever de transparência do controlador sob a LGPD Art 9, que assegura ao titular o direito…

Scope law LGPD

Jurisdiction Brazil

Assumes Versão em português obrigatória (LGPD Art 9). Encarregado obrigatório para a maioria dos controladores (LGPD Art 41). Prazo de 15 dias para resposta a solicitações (LGPD Art 19). RNBD não exigido sob LGPD (era exigência da legislação anterior).

Privacy policies 12 vars

Privacy policy · EU/EEA baseline (GDPR Art 13/14)

Privacy Policy Effective date: {{effectivedate}} Last reviewed: {{lastreviewed}} 1. Who we are {{controllername}} ("we", "us"). Registered office: {{controlleraddress}}. Contact: {{controlleremail}}.…

Scope law GDPR

Jurisdiction Baseline (adapt per market)

Assumes EU/EEA baseline. Add national-language version per Loi Toubon (FR), Italian Codice Privacy, Polish UODO. Add §10 for automated decision-making if applicable. For UK, retitle "GDPR" → "UK GDPR" and replace EDPB link with ICO https://ico.org.uk/.

Privacy policies 10 vars

Privacy policy · US multi-state (CCPA/CPRA · VCDPA · TDPSA · CO/CT)

Privacy Policy Effective date: {{effectivedate}} Last reviewed: {{lastreviewed}} 1. Scope This policy applies to {{sitedomain}}, operated by {{controllername}}. It addresses the requirements of Calif…

Scope law CCPA/CPRA

Jurisdiction Baseline (adapt per market)

Assumes Covers CA + VA + TX + CO + CT as of mid-2026. For Florida, Oregon, Delaware, Iowa, Tennessee — generally compatible; review state-specific notice of right to opt-out. Universal opt-out signal recognition is mandatory in CA, CO, CT, TX (TX as of TDPSA effective date 2024-07-01).

Cookie policies · 2

Per-cookie inventory + disclosure pages.

Cookie policies 6 vars

Cookie policy · EU/EEA baseline

Cookie Policy Last reviewed: {{lastreviewed}} This page lists every cookie, localStorage entry, and third-party tracker on {{sitedomain}}. What is a cookie? A small text file stored by your browser. …

Scope law ePrivacy

Jurisdiction Baseline (adapt per market)

Assumes Auto-scan via CMP (Cookiebot/Iubenda/OneTrust) recommended for accuracy. Verify "Strictly necessary" claims — auth and consent cookies qualify; analytics never qualifies under EU ePrivacy.

Cookie policies 9 vars

Cookie policy · United Kingdom (PECR + UK GDPR)

Cookie Notice Last reviewed: {{lastreviewed}} We use cookies and similar technologies on {{sitedomain}}. PECR Regulation 6 requires us to tell you about them and obtain your consent before any non-ess…

Scope law PECR

Jurisdiction United Kingdom

Assumes ICO updated cookies guidance 2023. UK English spelling ("personalisation"). UK Extension to DPF active for transfers — covered in Privacy notice, not Cookie notice.

DSAR / DSR replies · 2

Subject-request response skeletons.

DSAR / DSR replies 18 vars

DSR reply template · CCPA/CPRA consumer request

Subject: Re: California Privacy Rights Request — {{ticketid}} Dear {{requestorname}}, Thank you for your request received on {{requestreceiveddate}}. This is our response under the California Consumer…

Scope law CCPA/CPRA

Jurisdiction California

Assumes CCPA §1798.130(a)(2) — 45-day response window from verified-identity date. Extension by 45 days once. CPRA "limit use of sensitive PI" only triggers when sensitive PI is used outside disclosed business purposes. Adapt for VCDPA/TDPSA/CO/CT — different time windows.

DSAR / DSR replies 23 vars

DSR reply template · GDPR Article 15 access request

Subject: Re: Data Subject Access Request — {{ticketid}} Dear {{requestorname}}, Thank you for your request received on {{requestreceiveddate}}. This is our response under GDPR Article 15. Identity ve…

Scope law GDPR

Jurisdiction Baseline (adapt per market)

Assumes Use within 30 days of verified-identity date. If extension needed (Art 12(3) — up to 60 days additional), notify within 30 days with reasoning. Attach machine-readable export (JSON or CSV) for full data dump.

Consent Mode v2 snippets · 2

GTM init snippets (default-deny + signals).

Consent Mode v2 snippets

Consent Mode v2 init snippet · EU/EEA default-deny

—

Scope law GDPR

Jurisdiction Baseline (adapt per market)

Assumes EU/EEA/UK/CH baseline. The default-deny block must run BEFORE any Google tag (GTM, gtag.js, AdSense). 500ms wait_for_update is the typical maximum — beyond that Google tags fire with denied state. Pair with a Google-certified CMP (see /topics/google-certified-cmp/).

Consent Mode v2 snippets

Consent Mode v2 init snippet · multi-region (EU + US)

—

Scope law GDPR

Jurisdiction Baseline (adapt per market)

Assumes Multi-region splits the default state by ISO country (and US state for the US states with consumer privacy laws as of 2026). The order matters — most specific defaults must come first, since CMv2 takes the FIRST matching block. For US states with new opt-out laws (Iowa, Indiana, Tennessee, Florida), add them to the granted-with-opt-out region list as they take effect.

DPIA skeletons · 1

Risk-assessment scaffolds for analytics.

DPIA skeletons 29 vars

DPIA skeleton · Analytics tool deployment

Data Protection Impact Assessment (DPIA) {{toolname}} deployment on {{sitedomain}} Author: {{authorname}} ({{authorrole}}) Reviewed by DPO: {{dponame}} Date: {{dpiadate}} Version: 1.0 Drafted to sati…

Scope law GDPR

Jurisdiction Baseline (adapt per market)

Assumes Required under GDPR Art 35 for processing "likely to result in a high risk". Analytics with cross-site tracking + behavioural profiling + millions of users typically triggers it. For Plausible/Fathom-style cookieless analytics, simplified DPIA may be sufficient. Document the residual-risk decision and revisit annually.

Week of Jun 19, 2026

Notes from the desk

M.K. · 7 May 2026

Editorial reading as of 2026-05-07 — not legal advice. A template is a starting point, not a finished artefact. Every cookie banner here was drafted against a specific regulator's published guidance; every privacy policy was drafted against the statute's transparency clause as written, not as enforced. The factual gap between drafted and enforced is exactly where qualified counsel earns their fee — in practice, many compliance teams use these templates to handle the bulk of the scaffolding work, then route the final pass through counsel admitted in the relevant jurisdiction.

M.K. · 6 May 2026

Editorial reading as of 2026-05-06 — not legal advice. Read the assumptions block on every template before deploying. We see two recurring failure modes: deploying a template against an outdated processor list (your DPA's vendor disclosure no longer matches your privacy notice), and deploying a template with placeholder variables left unsubstituted. The DPIA skeleton in particular has dozens of placeholder variables that all need to be replaced — leaving any of them is worse than not having a DPIA at all.

M.K. · 5 May 2026

Editorial reading as of 2026-05-05 — not legal advice. Templates here are scoped narrowly on purpose. The German banner is drafted against TTDSG (renamed TDDDG in May 2024) plus the consolidated DSK (Datenschutzkonferenz) guidance on equivalent button prominence for accept and reject; deploying it on a French-targeted property without adapting it to CNIL's specific banner-design jurisprudence is a recurring mistake. Pick the template whose jurisdiction matches your traffic, then adapt — don't pick a 'closest' one and hope.

How we draft these · Methodology

Drafted, not deployed. Editorial reading as of 2026-05-05; not legal advice. Each template is a scaffolded starting point — drafted against the relevant statute as written, plus the regulator's published guidance. The factual application to your processor list, banner stack, audience, and cookie inventory is what your counsel adapts.

Variable placeholders. The "X vars" badge counts substitution tokens declared in the template's variables_jsonb. The DPIA skeleton has the most — several dozen across description, risk, mitigation, and sign-off sections — and a partially-completed assessment with placeholder text left in place is more likely to attract regulator scrutiny than a properly-completed one would be.

Assumptions block. Every template carries an assumptions paragraph listing what you should already have in place before deploying it. Ignoring assumptions is the most common failure mode we see — typically: deploying a banner template against an outdated processor list, or a privacy policy template against a sub-processor stack the policy doesn't mention.

Scope discipline. Templates are scoped narrowly — German banner ≠ French banner. Pick the one whose jurisdiction matches your traffic; don't pick a "closest" template and hope. Where scope is "Baseline (adapt per market)", the template is a region-baseline that you market-adapt before deployment.

Licence. Free to copy, adapt, and deploy. SetupAnalytics does not warrant accuracy or currency. These templates do not establish a lawyer-client relationship.

Full methodology → · Laws (statutory text) → · Countries (enforcement) → · Topics (operations) →

Editorial research, not legal advice. SetupAnalytics is a free, ad-free public utility maintained by independent editors. These templates do not establish a lawyer-client relationship and are not warranted for accuracy or currency. Consult qualified counsel admitted in the relevant jurisdiction for any specific deployment, transfer, or contract. Report an inaccuracy →

Privacy compliance templates — drop-in starting points

Cookie banners · 5

Cookie banner text · France · CNIL-aligned

Cookie banner text · Germany · TTDSG-compliant

Cookie banner text · Italy · Garante-aligned

Cookie banner text · United Kingdom · PECR + UK GDPR

Do Not Sell or Share My Personal Information · CCPA/CPRA link

Privacy policies · 3

Política de Privacidade · Brasil (LGPD)

Privacy policy · EU/EEA baseline (GDPR Art 13/14)

Privacy policy · US multi-state (CCPA/CPRA · VCDPA · TDPSA · CO/CT)

Cookie policies · 2

Cookie policy · EU/EEA baseline

Cookie policy · United Kingdom (PECR + UK GDPR)

DSAR / DSR replies · 2

DSR reply template · CCPA/CPRA consumer request

DSR reply template · GDPR Article 15 access request

Consent Mode v2 snippets · 2

Consent Mode v2 init snippet · EU/EEA default-deny

Consent Mode v2 init snippet · multi-region (EU + US)

DPIA skeletons · 1

DPIA skeleton · Analytics tool deployment

Notes from the desk