Consent Models & GPC
IConsentResolver
Section titled “IConsentResolver”The consent resolver determines if a user has consented to a cookie category:
public interface IConsentResolver{ Task<bool> HasConsentAsync(HttpContext httpContext, CookieCategory category);}StrictlyNecessary cookies bypass consent checks entirely — the cookie manager
never calls HasConsentAsync for essential cookies.
Consent models
Section titled “Consent models”The cookie system supports four consent models, configured per tenant via the regulation profile:
| Model | Behavior | Regulation |
|---|---|---|
| OptIn | Cookies blocked until explicit consent | GDPR, LGPD |
| OptOut | Cookies allowed by default, blocked on explicit opt-out | CCPA |
| Hybrid | OptIn for sensitive categories, OptOut for non-sensitive | Some US states |
| None | No specific consent requirement | Jurisdictions without cookie law |
The consent model is resolved via ICookieConsentModelProvider — an optional
interface provided by the bridge package Granit.Privacy.Regulations.Cookies.
Global Privacy Control (GPC)
Section titled “Global Privacy Control (GPC)”The GPC signal (Sec-GPC: 1
HTTP header) indicates the user prefers not to have their data sold or shared.
IGlobalPrivacyControlSignal detects the header. The GranitCookieManager
suppresses cookies based on the consent model:
| Consent model | GPC active | Effect |
|---|---|---|
| OptOut (CCPA) | Yes | Suppress SaleOrSharing + Marketing only |
| OptIn (GDPR) | Yes | Suppress ALL non-essential categories |
| Hybrid | Yes | Suppress SaleOrSharing + Marketing only |
| Any | No | No effect — fall through to IConsentResolver |
Default implementations
Section titled “Default implementations”| Implementation | Behavior |
|---|---|
NullConsentResolver | Denies consent for all non-essential categories (default) |
NullCookieConsentModelProvider | Returns null — no GPC suppression (default) |
GlobalPrivacyControlHeaderSignal | Reads Sec-GPC: 1 header (always registered) |