---
title: Consent Models
description: How c15t determines consent behavior based on legal jurisdiction.
---
c15t supports four consent models that control how consent defaults, banner visibility, and category gating behave:

|Model|Philosophy|Banner|Categories default to|
|--|--|--|--|
|`opt-in`|Explicit consent required|Blocking banner|`false` (except `necessary`)|
|`opt-out`|Processing allowed by default|Non-blocking notice|`true` (all granted)|
|`iab`|IAB TCF 2.3 for programmatic ads|TCF banner|Managed by TCF framework|
|`null`|No regulation detected|No banner|`true` (all auto-granted)|

There are two ways c15t determines which model applies:

1. **Policy packs** (recommended) — you explicitly set the model per region in a `PolicyConfig`. This gives you full control over which regions get which model. See [Policy Packs](/docs/frameworks/react/concepts/policy-packs).

2. **Automatic jurisdiction mapping** (legacy default) — when no policy pack is configured, c15t detects the visitor's jurisdiction via geolocation and maps it to a model using the table below. This still works but gives you less control over categories, UI, and scope.

> ℹ️ **Info:**
> When using policy packs, the consent.model field in each policy directly sets the model — the automatic jurisdiction mapping is bypassed for that request.

Read the current consent model from the hook:

```tsx
import { useConsentManager } from '@c15t/react';

function ConsentStatus() {
  const { model, policy } = useConsentManager();

  return (
    <p>
      Current consent model: {model ?? 'detecting...'}
      {policy && ` (from policy: ${policy.id})`}
    </p>
  );
}
```

## The Four Models

### Opt-in

The strictest consent model, used for GDPR and similar regulations that require explicit, affirmative consent before any non-essential data processing occurs. All consent categories except `necessary` default to `false`. A consent banner must be shown before any tracking scripts load.

Applies to: EU (GDPR), UK (UK GDPR), Switzerland, Brazil (LGPD), Japan (APPI), South Korea (PIPA), Quebec (Law 25). Also the fallback for unknown jurisdiction codes.

### Opt-out

Used for CCPA-style regulations where data processing is permitted by default until the user exercises their right to opt out. All consent categories default to `true`. A blocking banner is not required — the typical pattern is a non-intrusive notice or footer link.

Applies to: California (CCPA), Canada (PIPEDA), Australia.

When the policy has `consent.gpc: true`, the browser's Global Privacy Control signal (`Sec-GPC: 1` or `navigator.globalPrivacyControl`) is respected — `marketing` and `measurement` are denied while other categories remain granted. The built-in California presets enable this by default. See [Policy Packs — GPC](/docs/frameworks/react/concepts/policy-packs#gpc) for details.

### IAB

IAB Transparency and Consent Framework (TCF) 2.3 mode for programmatic advertising compliance. Only activates when two conditions are met: the jurisdiction is `GDPR` or `UK_GDPR`, and `iab.enabled` is `true` in your configuration.

When active, IAB mode generates TC strings, registers the `__tcfapi` CMP API, and works with the Global Vendor List (GVL) for machine-readable consent signals. If `iab.enabled` is not set, GDPR jurisdictions fall back to standard opt-in.

### null

Returned when no jurisdiction is detected (`NONE` or `null`). No banner is displayed. On first visit, all categories are auto-granted.

## Jurisdiction Mapping

When no policy pack is configured, c15t maps jurisdictions to models automatically:

|Jurisdiction Code|Region|Consent Model|
|--|--|--|
|`GDPR`|European Union|opt-in|
|`UK_GDPR`|United Kingdom|opt-in|
|`CH`|Switzerland|opt-in|
|`BR`|Brazil (LGPD)|opt-in|
|`APPI`|Japan|opt-in|
|`PIPA`|South Korea|opt-in|
|`PIPEDA`|Canada (excl. Quebec)|opt-out|
|`QC_LAW25`|Quebec, Canada|opt-in|
|`CCPA`|California, USA|opt-out|
|`AU`|Australia|opt-out|
|`NONE`|No jurisdiction|null|
|*(unknown)*|Any other|opt-in|

**IAB override:** If `iab.enabled: true` and the jurisdiction is `GDPR` or `UK_GDPR`, the model becomes `'iab'` instead of `'opt-in'`. This override only applies to those two jurisdictions.

> ℹ️ **Info:**
> With policy packs, you set the model explicitly per policy — the automatic mapping above is only used as a fallback when no policy pack is configured, or for non-policy-pack features like auto-granting in opt-out jurisdictions.

Override the detected jurisdiction for testing:

```tsx
import { useConsentManager } from '@c15t/react';

function JurisdictionTester() {
  const { setOverrides } = useConsentManager();

  return (
    <div>
      <button onClick={() => setOverrides({ country: 'DE' })}>
        Test as EU visitor
      </button>
      <button onClick={() => setOverrides({ country: 'US', region: 'CA' })}>
        Test as California visitor
      </button>
    </div>
  );
}
```

> ℹ️ **Info:**
> For full control over which model applies where — plus UI customization, category scoping, and re-prompting — see Policy Packs.