Geo Rules
CookieBoss automatically detects visitor location and applies the correct consent behavior based on privacy regulations. With the visual Geo Rules Editor, you can configure region-specific rules in seconds — or go granular with US state-level targeting.
Pro plan required
Geo rules require the Pro plan or higher. Free and Basic plans use a single global consent mode for all visitors.
How geo detection works
- The consent script calls the CookieBoss geo endpoint
- The endpoint returns the visitor’s country and region (using Cloudflare’s
cf-ipcountryheader) - CookieBoss evaluates your geo rules top-to-bottom and applies the first matching rule
- The geo result is cached in localStorage for 24 hours
Visual Geo Rules Editor
The easiest way to configure geo rules is through the dashboard’s visual editor.
Accessing the editor
- Open the CookieBoss dashboard
- Navigate to Sites and select your site
- Click the Geo Rules tab
Quick-add region presets
The editor includes 8 built-in presets that cover the most common regulatory regions. Click any preset to instantly add it as a rule:
| Preset | Countries/Regions | Recommended mode |
|---|---|---|
| EEA | All 27 EU member states + Iceland, Liechtenstein, Norway | Opt-in |
| UK | Great Britain | Opt-in |
| US Privacy States | CA, CO, CT, VA, UT, TX, OR, MT, DE, IA, IN, TN, FL | Opt-out |
| Brazil | BR | Opt-in |
| Canada | CA | Opt-in |
| Japan | JP | Opt-in |
| South Korea | KR | Opt-in |
| Australia | AU | Notice |
Creating custom rules
If the presets don’t fit your needs, create custom rules:
- Click Add Rule
- Give the rule a name (e.g., “Southeast Asia” or “LGPD Countries”)
- Select the countries or US states this rule applies to
- Choose a consent mode:
- Opt-in — all optional cookies denied by default, visitor must actively consent
- Opt-out — cookies allowed by default, visitor can opt out
- Notice — informational banner only, no blocking
- Toggle Show Banner on or off
- Drag the rule to set its priority
Rule priority
Rules are evaluated top-to-bottom. The first rule whose region list matches the visitor’s location is applied. If no rules match, the bottom “default” rule is used.
For example, if you have:
- EEA + UK (opt-in)
- US Privacy States (opt-out)
- Rest of World (notice)
A visitor from Germany matches rule 1 and gets opt-in. A visitor from California matches rule 2 and gets opt-out. A visitor from Japan matches rule 3 and gets notice.
Always have a default rule
Make sure your last rule has an empty regions list — this acts as a catch-all for visitors from locations not covered by any other rule.
US state-level granularity
CookieBoss supports targeting individual US states, which is essential for complying with the patchwork of US state privacy laws:
| State | Code | Law |
|---|---|---|
| California | US-CA | CCPA / CPRA |
| Colorado | US-CO | CPA |
| Connecticut | US-CT | CTDPA |
| Virginia | US-VA | VCDPA |
| Utah | US-UT | UCPA |
| Texas | US-TX | TDPSA |
| Oregon | US-OR | OCPA |
| Montana | US-MT | MCDPA |
| Delaware | US-DE | DPDPA |
| Iowa | US-IA | ICDPA |
| Indiana | US-IN | IDPA |
| Tennessee | US-TN | TIPA |
| Florida | US-FL | FDBR |
Use the format US-XX where XX is the two-letter state code. In the visual editor, US states appear in a separate section when you select the United States.
Consent modes explained
| Mode | Description | When to use |
|---|---|---|
| Opt-in | All optional cookies denied until explicit consent. Banner shown. | GDPR, LGPD, PIPA, and any jurisdiction requiring prior consent |
| Opt-out | Cookies allowed by default, visitor can opt out. | CCPA/CPRA and US state laws with opt-out models |
| Notice | Informational banner only, no cookie blocking. | Regions with no specific cookie consent requirements |
Geo rules via API
You can also configure geo rules programmatically. The new format uses a geoRules array where each rule has an ID, name, regions list, consent mode, and banner toggle:
{
"geoRules": [
{
"id": "eea",
"name": "EEA + UK",
"regions": ["AT","BE","BG","HR","CY","CZ","DK","EE","FI","FR","DE","GR","HU","IE","IT","LV","LT","LU","MT","NL","PL","PT","RO","SK","SI","ES","SE","IS","LI","NO","GB"],
"mode": "opt-in",
"showBanner": true
},
{
"id": "us-privacy",
"name": "US Privacy States",
"regions": ["US-CA","US-CO","US-CT","US-VA","US-UT","US-TX","US-OR","US-MT"],
"mode": "opt-out",
"showBanner": true
},
{
"id": "default",
"name": "Rest of World",
"regions": [],
"mode": "notice",
"showBanner": false
}
]
}Rule object fields
| Field | Type | Description |
|---|---|---|
id | string | Unique identifier for the rule (e.g., "eea", "us-privacy", "default") |
name | string | Human-readable name shown in the dashboard |
regions | string[] | Array of ISO 3166-1 alpha-2 country codes or US-XX state codes. Empty array = catch-all. |
mode | string | One of "opt-in", "opt-out", or "notice" |
showBanner | boolean | Whether to display the consent banner for matching visitors |
Backward compatibility
The legacy object format with eu, california, and default keys still works:
{
"geoRules": {
"eu": { "mode": "opt-in", "showBanner": true },
"california": { "mode": "opt-out", "showBanner": true },
"default": { "mode": "opt-in", "showBanner": true }
}
}If you’re already using this format, it will continue to work. However, we recommend migrating to the new array format to take advantage of custom regions and US state-level targeting.
Caching behavior
The geo detection result is cached in localStorage under the key cookieboss_geo for 24 hours. This means:
- Only one geo request per visitor per 24 hours
- Visitors on VPNs will be classified based on their VPN exit country
- Clearing localStorage resets the geo cache
Geo detection failure
If the geo endpoint is unreachable, CookieBoss defaults to the most restrictive mode (opt-in). This ensures compliance is never accidentally bypassed.