Modify Consent Workflow (Click to Read - Very Long Spec)

We do not always need consent for ads. Under GDPR, consent is generally not required for non-personalized contextual ads that do not rely on personal data, profiling, or behavioral tracking. Since Zerocost focuses on privacy-first contextual advertising, many ad placements may operate under legitimate interest or outside consent requirements depending on implementation and jurisdiction. However, developers remain responsible for ensuring their own compliance based on how they use the product.

To make this practical, Zerocost should support two consent models. First, developers can use the built-in Zerocost consent popup (triggered from the shield/privacy button), where users can manage permissions for products like data collection or recordings. Second, developers should be able to run their own custom consent flow, such as collecting consent during registration, onboarding, account creation, or inside their own privacy settings page.

This should be controlled directly in the Zerocost dashboard with a clear Enable / Disable Consent Popup setting. If enabled, Zerocost handles the consent UI and stores consent states through the SDK. If disabled, the developer confirms they are managing consent independently and acknowledges that legal compliance obligations (GDPR, ePrivacy, CCPA, and other applicable laws) become their responsibility.

Additionally, the dashboard should include API hooks or SDK methods so developers using custom consent flows can pass verified consent states into Zerocost. This gives startups flexibility while ensuring Zerocost can still respect user preferences technically. The result is a system that works for both privacy-conscious builders who want turnkey compliance tools and advanced teams who prefer to manage consent inside their own product experience. (We need a solid plan for all of this so before building make a plan).

NOTE: We must also update our TOS, Privacy Policy, Docs.

Legally, it can be permissible for Zerocost to let developers handle consent instead of Zerocost always handling it, if roles, responsibilities, and data flows are structured correctly. This is common in SaaS/SDK ecosystems. For example, many analytics, ad tech, CRM, and customer-support SDKs rely on the website/app operator to obtain consent.

Why this can be valid

Under laws like GDPR and the ePrivacy Directive:

• The app developer / website operator is usually the primary party interacting with the end user.

• They often act as the controller (or joint controller in some cases) for user data collected through third-party SDKs.

• A vendor like Zerocost can act as a processor for some services, or an independent/joint controller for others depending on product design.

That means the app can collect consent in its own signup flow, cookie banner, onboarding, or privacy center, then pass the consent signal to Zerocost.

But only if these conditions are met

1. Clear contractual allocation

Your Terms, DPA, and dashboard settings should clearly state:

• If developer disables Zerocost consent UI, developer confirms they obtain valid consent where required.

• Developer must provide required notices.

• Developer must pass consent signals accurately.

• Zerocost may suspend products if no lawful basis exists.

2. Zerocost must technically honor consent

If user has not consented (where needed), Zerocost should not collect/process that data. Example:

• Ads product (contextual only): maybe no consent needed in some regions/use cases.

• Product 2 datasets: likely higher risk, often consent strongly recommended.

• Product 3 recordings: explicit consent strongly advisable.

3. Granular consent by product

User should be able to separately agree/refuse:

• Contextual ads

• Interaction data monetization

• Recordings / session capture

4. Audit trail

Store timestamp, version of notice, region, consent state source (“developer-managed” vs “Zerocost popup”).

Important risk area

You cannot simply say “developer is responsible” and ignore everything. Regulators look at actual control and benefit, not only contracts. If Zerocost determines purposes/means of processing, you may still have obligations.

Practical best model for Zerocost

Use a hybrid system:

Default

Zerocost popup enabled (easy compliance path)

Advanced mode

Developer disables popup and uses custom consent manager.

Require them to certify:

• lawful basis obtained where required

• notices updated

• consent revocable

• signals passed to Zerocost SDK

SDK example

zc.consent.sync({
 ads: true,
 datasets: false,
 recordings: false,
 source: "developer_cmp"
})

Strategic recommendation

For trust + scale, market it as:

“Bring your own consent manager, or use Zerocost’s built-in privacy controls.”

That is stronger than forcing everyone into one popup.