generators-consent-flow

First step: Tell the user: "generators-consent-flow skill loaded."

Consent Flow Generator

Generate a production privacy consent system with granular category-based consent, persistent state management, a consent banner and preferences UI, audit logging for compliance, and App Tracking Transparency integration.

When This Skill Activates

Use this skill when the user:

• Asks about "privacy consent" or "consent management"
• Mentions "GDPR consent" or "GDPR compliance"
• Wants "cookie consent" or "tracking consent"
• Mentions "ATT prompt" or "App Tracking Transparency"
• Asks for "privacy preferences" or "consent preferences"
• Mentions "CCPA compliance" or "DPDP compliance"
• Wants to "manage user consent" or "consent banner"
• Asks about "consent audit log" or "consent records"

Pre-Generation Checks

1. Project Context Detection

• Check Swift version (requires Swift 5.9+)
• Check deployment target (iOS 16+ / macOS 13+)
• Check for @Observable support (iOS 17+ / macOS 14+)
• Identify source file locations

2. Conflict Detection

Search for existing consent or privacy code:

Glob: **/*Consent*.swift, **/*Privacy*.swift, **/*Tracking*.swift, **/*GDPR*.swift
Grep: "ATTrackingManager" or "ConsentManager" or "trackingAuthorizationStatus"

If third-party library found (OneTrust, Usercentrics, CookieBot):

• Ask if user wants to replace or keep it
• If keeping, don't generate — advise on integration best practices instead

3. ATT Framework Availability

Check for App Tracking Transparency framework:

Grep: "AppTrackingTransparency" in project files
Grep: "NSUserTrackingUsageDescription" in Info.plist

If NSUserTrackingUsageDescription is missing from Info.plist, warn the user that ATT requires this key and offer to add it.

4. Platform Detection

Determine if generating for iOS (primary ATT target) or macOS (ATT not applicable) or both.

Configuration Questions

Ask user via AskUserQuestion:

1. Target regulations?

   • GDPR only (EU — opt-in model)
   • CCPA only (California — opt-out model)
   • DPDP only (India — consent-based)
   • All regulations (recommended for global apps)

2. Consent categories? (multi-select)

   • Essential (always on, cannot be disabled)
   • Analytics (usage tracking, crash reporting)
   • Marketing (advertising, attribution)
   • Personalization (recommendations, content tailoring)
   • Functional (preferences, saved settings beyond essential)

3. Include ATT integration?

   • Yes — request ATT permission before any tracking (recommended for iOS)
   • No — handle consent without ATT (macOS, or no IDFA usage)

4. Consent UI style?

   • Bottom banner with manage preferences (recommended)
   • Full-screen consent view (for first launch)
   • Settings-embedded (preferences in app settings, no banner)
   • Banner + Settings (banner on first launch, preferences in settings)

Generation Process

Step 1: Read Templates

Read templates.md for production Swift code. Read references/patterns.md for compliance rules, regulation differences, and UX guidance.

Step 2: Create Core Files

Generate these files:

1. ConsentCategory.swift — Enum of consent categories with metadata
2. ConsentDecision.swift — Per-category consent state with timestamp
3. ConsentManager.swift — @Observable manager with persistence and ATT integration
4. ConsentAuditLog.swift — Compliance audit trail with JSON export

Step 3: Create UI Files

5. ConsentBannerView.swift — Animated slide-up consent banner
6. ConsentPreferencesView.swift — Detailed toggle list for each category

Step 4: Create Optional Files

Based on configuration:

• ConsentRegulationConfig.swift — If multiple regulations selected
• ConsentATTBridge.swift — If ATT integration selected (extracted for testability)

Step 5: Determine File Location

Check project structure:

• If Sources/ exists → Sources/Consent/
• If App/ exists → App/Consent/
• Otherwise → Consent/

Output Format

After generation, provide:

Files Created

Consent/
├── ConsentCategory.swift        # Consent category enum with metadata
├── ConsentDecision.swift         # Per-category decision with timestamp
├── ConsentManager.swift          # @Observable manager with persistence
├── ConsentAuditLog.swift         # Compliance audit trail
├── ConsentBannerView.swift       # Animated consent banner
├── ConsentPreferencesView.swift  # Granular preferences UI
├── ConsentRegulationConfig.swift # Multi-regulation rules (optional)
└── ConsentATTBridge.swift        # ATT integration bridge (optional)

Integration Steps

Show consent on first launch:

@main
struct MyApp: App {
    @State private var consentManager = ConsentManager()

    var body: some Scene {
        WindowGroup {
            ContentView()
                .environment(consentManager)
                .overlay(alignment: .bottom) {
                    if consentManager.needsConsent {
                        ConsentBannerView()
                            .environment(consentManager)
                            .transition(.move(edge: .bottom).combined(with: .opacity))
                    }
                }
                .animation(.easeInOut(duration: 0.3), value: consentManager.needsConsent)
        }
    }
}

Check consent before tracking:

func trackEvent(_ event: AnalyticsEvent) {
    guard consentManager.hasConsent(for: .analytics) else { return }
    analyticsService.track(event)
}

func showPersonalizedAd() {
    guard consentManager.hasConsent(for: .marketing) else {
        showGenericAd()
        return
    }
    adService.showPersonalized()
}

Open preferences from settings:

NavigationLink("Privacy Preferences") {
    ConsentPreferencesView()
        .environment(consentManager)
}

Export audit log for data requests:

func handleDataRequest() async throws -> Data {
    let auditLog = ConsentAuditLog.shared
    return try auditLog.exportJSON()
}

Testing

@Test
func consentGrantedPersistsAcrossLaunches() async {
    let defaults = UserDefaults(suiteName: "test")!
    defaults.removePersistentDomain(forName: "test")
    let manager = ConsentManager(defaults: defaults)

    manager.updateConsent(for: .analytics, granted: true)

    let manager2 = ConsentManager(defaults: defaults)
    #expect(manager2.hasConsent(for: .analytics) == true)
}

@Test
func essentialConsentCannotBeRevoked() {
    let manager = ConsentManager()
    manager.updateConsent(for: .essential, granted: false)
    #expect(manager.hasConsent(for: .essential) == true) // Always granted
}

@Test
func auditLogRecordsDecisions() {
    let log = ConsentAuditLog(directory: tempDirectory)
    log.record(category: .analytics, granted: true, regulation: .gdpr)

    let entries = log.allEntries()
    #expect(entries.count == 1)
    #expect(entries[0].category == .analytics)
    #expect(entries[0].granted == true)
}

@Test
func denyAllRevokesNonEssentialCategories() {
    let manager = ConsentManager()
    manager.grantAll()
    manager.denyAllNonEssential()

    #expect(manager.hasConsent(for: .essential) == true)
    #expect(manager.hasConsent(for: .analytics) == false)
    #expect(manager.hasConsent(for: .marketing) == false)
}

Common Patterns

Show Consent on First Launch

.onAppear {
    if consentManager.needsConsent {
        // Banner auto-shows via overlay
    }
}

Update Preferences Later

Button("Privacy Settings") {
    showPreferences = true
}
.sheet(isPresented: $showPreferences) {
    ConsentPreferencesView()
        .environment(consentManager)
}

Check Consent Before Any Tracking Call

extension ConsentManager {
    func executeIfConsented(
        category: ConsentCategory,
        action: () -> Void
    ) {
        guard hasConsent(for: category) else { return }
        action()
    }
}

Export Audit Log for Data Subject Requests

let jsonData = try consentManager.auditLog.exportJSON()
// Attach to email or upload to compliance endpoint

Gotchas

ATT Must Be Requested Before Any Tracking

Apple rejects apps that access IDFA before calling ATTrackingManager.requestTrackingAuthorization. Always request ATT first, then enable tracking SDKs based on the result.

GDPR Requires Opt-In (Not Opt-Out)

Under GDPR, all non-essential tracking requires explicit opt-in consent. Pre-checked boxes or implied consent are not valid. The default state for all non-essential categories must be .notDetermined, not .granted.

Consent Must Be As Easy to Withdraw As to Grant

GDPR Article 7(3): "It shall be as easy to withdraw as to give consent." If consent is granted with one tap on a banner, it must be revocable with equal ease — not buried 5 screens deep in settings.

Different Regulations Have Different Age Thresholds

• GDPR: 16 years (member states can lower to 13)
• CCPA: 16 years for sale of data, 13 for minors
• DPDP: 18 years (parental consent required below)

If your app serves minors, you need age verification before consent collection.

Don't Block the UI on ATT

ATTrackingManager.requestTrackingAuthorization is async and shows a system dialog. Never call it during app launch or in a way that blocks the main UI. Show your own consent banner first, then request ATT as a secondary step.

Consent State Must Survive App Reinstall (GDPR)

For GDPR compliance, consider syncing consent state to a server. UserDefaults is deleted on app uninstall. If a user reinstalls, you must re-request consent — never assume prior consent.

References

• templates.md — All production Swift templates for consent flow
• references/patterns.md — Regulation comparison, ATT details, UX best practices, anti-patterns
• Related: generators-permission-priming — Pre-permission UI patterns (ATT priming)
• Related: generators-analytics-setup — Analytics that respects consent state
• Related: generators-settings-screen — Embedding consent preferences in settings