Manage website cookies and privacy compliance

Managing website cookies is an important part of privacy compliance under laws like GDPR and CCPA. Finalsite provides tools to configure cookie consent banners and control which tracking technologies are active on your site, helping districts meet evolving data privacy requirements.

As data privacy laws evolve, managing website cookies is a critical part of maintaining trust with your district and school community. This guide explains how cookies work on your platform, how consent is achieved with a clear policy, and how to navigate compliance requirements depending on your geographic location. 

In this article

• Glossary: Key privacy terms
• Step 1: Identify your cookie categories
  • Strictly necessary cookies
• Step 2: Navigating compliance
  • How consent is achieved
• Step 3: Draft your cookie policy
• Step 4: Categorize your scripts
• Step 5: Post your policy to your website
• Step 6: Test your banner in an incognito window

Do you use Finalsite’s Ask AI?

Ask AI uses a similar technology called sessionStorage. Unlike traditional cookies that can stay on a device for months, session storage is strictly temporary and is automatically deleted the moment the user closes their browser tab. For the purpose of privacy compliance, both are managed using the same tools.  If Ask AI is left as "Unclassified", your consent manager may block the Ask AI feature from appearing on visitors’ sites. Learn more about how session storage works in Ask AI with the article, "Manage session data in Ask AI."

Step 1: Identify your cookie categories

Before drafting a policy, identify how your site collects data. Cookies typically fall into these four categories:

• Strictly necessary cookies: These are required for the site to operate, such as maintaining a "logged-in" session. Learn more about 
• User preferences: These store choices a user makes so they are remembered for future visits.
• Tracking and analytics: These measure what pages are visited and how long users stay to help improve the site.
• Third-party cookies: If you use embedded services (like a yearbook flipbook, Vimeo, or a specific social media plugin), those providers may set their own cookies.

Strictly necessary cookies

For 2026, our standard platform cookies are categorized as "strictly necessary." If your school uses only our native features, your site remains compliant without an additional banner. However, if you add your own tracking (such as ads or analytics), you must provide a consent mechanism for your users. 

Under privacy laws like the GDPR or the EU Cookie Law, a cookie is "strictly necessary" if the website cannot function properly without it. If you use third-party management software (OneTrust, CookieBot, etc.), mark the following as strictly necessary:

Note for Ask AI Users: If your school or district uses Finalsite Ask AI, you may need to add additional technical entries to your consent manager to ensure the feature is not blocked. For a full list of these identifiers, please refer to the article: "Manage session data in Ask AI."

Step 2: Navigating compliance

Cookie regulations are strictly dependent on the geographic location of your website visitors. To remain compliant, you must provide a notice that informs users how their data is used and allows them to take action via a banner or pop-up.

United States laws

Most US state laws currently follow an "Opt-Out" model.

• The Requirement: You must inform users that cookies are in use and provide a clear, accessible way for them to decline tracking (such as a "Do Not Sell/Share My Personal Information" link).

  ⚠️ 2026 Update: As of January 1, 2026, many US state laws (including the Colorado Privacy Act) have removed the "Right to Cure." Regulatory authorities can now issue immediate fines without a warning period for missing links or failing to honor Global Privacy Control (GPC) signals.

• Comprehensive State Tracker: Look up your state laws with the IAPP US State Privacy Legislation Tracker. 

European Union laws (GDPR)

The EU follows a strict "Opt-In" model.

• The Requirement: Users must give explicit, affirmative consent (a "click-through" confirmation) before any non-essential cookies or scripts are placed on their device.
• Learn more: European Commission Cookies Policy.

Proactive compliance strategy

To remain safe across all jurisdictions, adding a cookie consent banner via your selected Consent Management Platform (CMP) is the most effective way to avoid being out of compliance. These tools can automatically detect a user's location and display the appropriate notice for their specific region.

Step 3: Draft your cookie policy

A cookie policy outlines what your site uses cookies to do, how that data is protected, and how users can control them. Your policy should cover these four main categories:

• Necessary cookies: Required for the site to operate (e.g., maintaining a "logged-in" session).
• User preferences: Storing choices a user makes so they are remembered for future visits.
• Tracking and analytics: Measuring what pages are visited and how long users stay to help improve the product.
• Third-party cookies: If you use embedded services (like a yearbook flipbook or a specific video plugin), those providers may set their own cookies. You should link to the privacy policies of those specific providers.

Step 4: Categorize your scripts

Once your policy is drafted, you must ensure your selected Consent Management Platform (CMP) is configured to allow your core features to run. While these steps use Termly as an example, the process is similar for most CMPs.

Create a Termly account

• Visit the Termly website: Go to Termly's website.
• Sign up: Click on the “Try for Free” or “Sign Up” button.
• Choose a plan: Select a plan that suits your needs. Termly offers both free and paid plans with varying features.
• Fill in details: Provide necessary information such as email, password, and website details.

Set up a Cookie consent banner

• Navigate to Cookie Consent: Find this option in your dashboard.
• Customize the Banner: Choose a template and customize colors and fonts to match your school’s branding.
  • Text: Edit the default text to explain your policy clearly. Include options for accepting, rejecting, and customizing preferences.
  • Behavior: Decide when the banner should appear (e.g., on the first page load).

Run a website scan 

• Initiate a scan in your CMP to detect all active scripts. Termly and other platforms will provide a list of common cookies and scripts, which you must then categorize.
  • What to look for (Ask AI users): Look for askai.finalsite.com
  • What to look for (CMS users): JSESSIONID, and CFID in your scan report.

Move to "Strictly Necessary" (Essential)

• To ensure your site functions correctly, you must manually move the Finalsite CMS and Ask AI identifiers into the Strictly Necessary (or Essential) category.

Step 5: Post your policy to your website

Once you have identified your cookie categories and finalized your policy with your legal team, you are ready to post your cookie consent banner. Many Finalsite clients have successfully used Termly to display this popup automatically across all site themes.

• Log into Composer and open up Domain Settings.

• Paste this code within the Robots.txt field, under SEO in domain settings

  User-agent: TermlyBot
  Allow: /

  

• Generate Code (in Termly): After customizing the banner, Termly will generate a script code.
• Copy the Code: Copy the provided code snippet, but remove the ?autoBlock=on parameter at the end of the code.
• Insert Code into the Priority Scripts field:

Step 6: Test your banner in an incognito window

Open your website in a private Incognito window to ensure the banner appears and functions correctly without interference from previously cached data.