Cookie ConsentOctor Background LogoOctor Background Logo

Last Updated On: 28/11/25

1. Purpose

This Cookie Consent Framework (“Framework”) defines how Octor obtains, records, manages, stores, audits, and withdraws user consent for cookies and similar technologies.

It ensures compliance with:

  • GDPR Articles 4, 6, 7, 12, 13, 14, 21
  • ePrivacy Directive (EU Cookie Law)
  • DPDP Act (India)
  • CCPA/CPRA (California)
  • UK GDPR

2. Scope

Applies to:

  • Octor website
  • Octor doctor/clinic portals
  • Teleconsultation web components
  • Any browser-based access points

Does NOT apply to:

  • Mobile app system-level permissions
  • Third-party HIS/EMR sites
  • External websites

3. Consent Requirements (GDPR, DPDP, ePrivacy, CCPA)

Under GDPR:

  • Consent must be freely given, specific, informed, and unambiguous.
  • No pre-checked boxes.
  • No “accept-only” banners.
  • Consent must be granular by category.

Under DPDP:

  • Consent must be affirmative, specific, and revocable.

Under CCPA:

  • Users have the right to opt-out of “sale” or “sharing” of personal information.

(Octor does NOT sell/share any data.)

4. Layered Consent Structure

Octor follows a three-layer consent model:

  • First Layer: Cookie Banner — High-level message + essential actions
  • Second Layer: Preferences Center — Full details and category-level toggles
  • Third Layer: Detailed Cookie Policy — Long-form legal explanation

5. Consent Banner (Primary Layer)

5.1 Banner Purpose

Displays upon first visit or whenever consent expires.

5.2 Banner Requirements

  • Clear and unavoidable
  • No dark patterns
  • No pre-selected consents

5.3 Banner Text Example (Approved)

“We use cookies to make Octor work securely and reliably. Essential cookies are always active. You may accept all cookies, reject non-essential cookies, or manage preferences. Learn more in our Cookie Policy.”

5.4 Banner Action Buttons

  • Accept All
  • Reject Non-Essential
  • Manage Preferences

5.5 Essential Cookies Cannot Be Disabled

Banner must clarify this.

6. Second Layer — Preference Center

The Preference Center contains:

  • Detailed explanation
  • Category toggles
  • Links to full Cookie Policy
  • “Save Preferences” button
  • “Withdraw consent” option

It must show:

  • Cookie name
  • Description
  • Provider
  • Duration
  • Category

7. Consent Categories

Octor uses 4 categories:

  • Strictly Necessary (Essential) — Always active
  • Functional — Optional
  • Performance/Analytics — Optional
  • Security Cookies — Always active

8. Essential Cookies (Always Active)

These cannot be disabled and do not require consent.

Examples:

  • Authentication tokens
  • Session identifiers
  • CSRF tokens
  • Queue management cookies
  • Teleconsultation session initialization
  • Load balancer routing cookies

Purpose: Platform security, login, navigation, data integrity.

Legal Basis: Contractual Necessity / Legitimate Interest (GDPR)

9. Functional Cookies (Optional)

Examples:

  • Language preference
  • Clinic/branch memory
  • UI layout selections
  • Default audio/video device

Legal Basis: Consent (GDPR)

10. Performance Cookies (Optional)

Examples:

  • Page speed metrics
  • API latency tracking
  • Crash diagnostics
  • Device/browser breakdown

Legal Basis: Consent (GDPR)

11. Security Cookies (Always Active)

Used to:

  • Detect threats
  • Validate session integrity
  • Prevent brute-force attacks
  • Enforce MFA requirements

Legal Basis: Legitimate Interest + Security Obligation

12. Explicit Consent Rules

Octor must:

  • Display the banner on first visit
  • Block non-essential cookies until acceptance
  • Record the consent timestamp
  • Allow granular preferences
  • Renew consent every 6–12 months (best practice)

13. Withdrawal of Consent

Users can:

  • Open Preferences Center
  • Toggle categories
  • Clear browser cookies
  • Revoke consent anytime

Revoking consent must not impact essential cookies.

14. Consent Recording & Audit Logs

Octor must store:

  • Consent action (accept/reject/manage)
  • Timestamp
  • Categories accepted
  • Browser/device identifier (non-personal)
  • Consent version number

Logs retained for 12–24 months.

15. Cross-Device & Cross-Session Consent Persistence

If the user is logged into Octor:

  • Consent may be synced across devices
  • Or stored separately per browser session (configurable)

16. Children's Consent Requirements

If a clinic uses Octor for child patients:

  • Consent must come from parent/guardian
  • Octor does not directly solicit consent from minors

17. Special Rules for Teleconsultation Cookies

Teleconsultation may require:

  • WebRTC temporary tokens
  • Device permissions tokens
  • Audio/video selection preferences

These cookies:

  • Do not store PHI
  • Are essential for session operation
  • Expire automatically when session ends

18. Special Rules for Device Integration Cookies

Device integrations may store:

  • Pairing state
  • Device identifiers
  • Connectivity flags

They do not store medical readings.

19. Browser & Device Controls

Users can block or delete cookies using:

  • Chrome
  • Firefox
  • Safari
  • Edge
  • Opera
  • Android WebView
  • iOS WebKit

Blocking essential cookies may disable major platform functionality.

20. Responding to Do Not Track Signals

Octor:

  • Acknowledges DNT signals
  • Does NOT alter cookie behavior solely based on DNT
  • Relies instead on user-set cookie preferences

21. APIs for Consent Management

Octor may expose APIs for enterprise customers:

  • GET /consent/preferences
  • POST /consent/preferences
  • DELETE /consent

Useful for:

  • Multi-location hospital deployments
  • Unified compliance dashboards

22. Change Management

Octor may update its cookie usage:

  • When adding new features
  • When integrating new devices
  • When migrating CDN or hosting providers

Users may be prompted to refresh consent if:

  • New cookie category added
  • Analytics provider changed
  • Deployment model updated

All rights reserved.© Octor 2025.