A California agency is seeking vendors to provide consent and preference management software for a one-year contract. The objective is to centralize and unify the management of consent and cookies across multiple platforms, automating detection, classification, and tracking. The selected platform must facilitate the creation, updating, withdrawal, and historical tracking of consents for both web and mobile environments, offering comprehensive data models, event logging, and reconciliation. Automated detection and classification for cookies, trackers, and pixels are essential, including robust measures for handling false positives and negatives. Support for various deployment environments—such as public websites, member portals, and mobile applications—is required, along with a user-friendly admin interface for managing cookies and providers, configuring policies, and authoring consent rules.

Integration with other systems should be supported via REST APIs for consent retrieval, writing, cookie inventory, and report exports, with details on authentication, rate limiting, and versioning. Security and regulatory compliance are critical, including maintenance of consent records, "Do Not Sell/Share" provisions, and documenting compliance with standards like SOC 2 Type II, ISO 27001, or HITRUST. Data security must utilize encryption in transit (TLS 1.2+) and at rest (AES–256), with strong key management, audit logs, and evidence against tampering. Role-based access control, least-privilege principles, and administrative auditing are required, as well as support for emergency access procedures.

The solution must also provide clear, accessible privacy controls and user experiences, including consent banners, preference centers, granular toggles, and layered notices compatible with both mobile and web. Accessibility compliance with WCAG 2.1 AA for all user-facing components is necessary, supported by a documented testing approach. Built-in analytical dashboards should report on consent opt-in rates, declines, pending statuses, and trends, with options for drill-down analysis and exporting data. Comprehensive audit logs and configurable retention policies are required. All vendor questions must be submitted by February 24, 2026, with the contract period spanning one year.