Shield CMP - Cookie & Tracker Consent

Every cookie is a consent decision. Prove you asked first.

Category-based banner, consent-gated script blocking, and an automated tracker scanner - bundled free on every plan. Same DPDPA proof vault as your consent notices.

Your penalty exposure

₹250Crunconsented tracking (S.5 & S.6)

Every analytics or ad script firing before consent is data processing without a lawful basis - the same violation as a bad consent notice, just running silently in the background.

How It Works

From script tag to audit-ready ledger

1
Configure your categories
Turn on Necessary, Functional, Analytics, and Marketing from the admin dashboard. Child-directed sites can hard-block Analytics and Marketing entirely.
2
Embed one script tag
Drop the Shield CMP SDK on any page - no build step, no framework dependency.
3
Scripts stay blocked
Any tag marked with a data-category attribute (Analytics, Marketing, etc.) is held out of the DOM until that specific category is granted.
4
Visitor decides, you get proof
Every accept, reject, and partial decision writes to the same consent audit trail as your notices - one ledger, one DPO dashboard.
5
Auto-scanner catches drift
A scheduled headless crawl of your own site flags any tracker nobody declared and emails your DPO - only on genuinely new findings.
Features

Everything to govern trackers, not just disclose them

Core

Category-Based Cookie Banner

Necessary, Functional, Analytics, and Marketing categories - each independently enabled and toggleable. No all-or-nothing consent.

Consent-Gated Script Blocking

Analytics tags, ad pixels, and any data-category-tagged script hold until the visitor grants that exact category - not just the banner.

Child-Directed Mode (S.9(3))

One toggle hard-blocks Analytics and Marketing with no way to re-enable them - server-enforced, not just hidden in the UI.

Automated Tracker Scanner

Headless crawl of your site cross-references every cookie and third-party script against your declared registry. Drift alerts, not noise.

Server-Side Tracking Support

A consent-status API lets your backend check a visitor's decision before firing a server-side tag (e.g. a Conversions API call).

Persistent Preferences Control

A floating reopen icon means withdrawing consent is exactly as easy as giving it - the DPDPA S.6(4) requirement, built in by default.

<17KB
SDK bundle size
5
Consent categories
All plans
Bundled free
S.6(4)
Withdrawal parity built in
Available from Starter plan onwards

All standard plans include the banner, script blocking, and automated scanner. Not included on the standalone Shield Collect plans.

FAQ

Common questions

Does DPDPA actually require cookie consent?+

There's no separate "cookie law" in India the way GDPR has the ePrivacy Directive. But a cookie or tracking pixel that resolves to an identifiable person - directly, or via a persistent device/browser identifier - is processing personal data under DPDPA S.4 and S.5. Firing that script before consent is the same S.5/S.6 violation as collecting an email address without consent; it's just running silently in the background instead of through a form.

How is this different from a generic cookie-consent plugin?+

Generic banner plugins are built around GDPR's category language and store consent in their own format, disconnected from anything else on your site. Shield CMP writes every cookie-consent decision into the same ConsentAuditLog your notice-based consent records use - one proof format, one audit trail, one DPO dashboard for both.

What actually happens to a script before the visitor consents?+

Any third-party script tagged with a data-category attribute stays out of the page until that specific category is granted. Necessary cookies always fire. Analytics, Marketing, Functional, and Unclassified categories are held back independently, so a partial decision - accept Analytics, reject Marketing - blocks exactly the right scripts instead of an all-or-nothing switch.

What does the automated scanner actually find?+

A headless crawl of your own site (up to 5 pages per run) reads every cookie that gets set and every third-party script domain that loads, then cross-references that against what you've already declared in the tracker registry. Your DPO only gets an email when the scan finds something genuinely new and undeclared - not a repeat alert for a tracker you already know about.

Is Shield CMP a paid add-on?+

No - it's a core module, bundled free with every standard plan starting at Starter, including the automated scanner. The one exception is the standalone Shield Collect plans (Lite/Plus), which are a narrower forms-only product and don't include the full cookie-consent stack.

Ready to govern every tracker on your site?

Bundled free on every plan. No lawyers. No spreadsheets.