Consent & Privacy February 7, 2026 · 9 min read

How to Audit Your Cookie Banner for GDPR and CPRA Compliance

A cookie banner that does not actually block cookies is a liability, not a compliance solution. The appearance of a consent mechanism and the function of one are different things — and the gap between them is exactly what regulators look for. This is the checklist I run through when auditing a site's consent implementation.

TL;DR

  • A compliant cookie banner must block non-essential cookies until consent is granted — not just display a notice about them.
  • You can verify cookie blocking by opening DevTools before accepting the banner and checking which cookies are already set.
  • GTM Consent Mode must be configured to honor consent signals — without it, tags fire regardless of what the user chose.
  • Consent logs must be stored and accessible — you need to be able to demonstrate who consented to what and when.

Why audits are necessary

Most cookie banners were implemented by a developer or marketing team following a tutorial, not a privacy lawyer reviewing the regulatory requirements. The result is often a banner that discloses what cookies are used — which is a GDPR requirement — but does not actually prevent those cookies from being set before consent is given — which is also a GDPR requirement.

Regulators, particularly in Germany, France, and Ireland, have been actively enforcing this distinction. Fines for non-compliant cookie implementations are increasingly common, and the "we have a banner" defense does not hold up when the cookies were already set.

The 10-point audit checklist

1. Cookies are blocked before consent

Open your site in a private browser window. Before clicking anything on the cookie banner, open DevTools (Application → Cookies). Are any non-essential cookies already set? GA4 cookies (_ga, _ga_XXXXXXX), advertising cookies, and analytics tool cookies should not appear before consent. If they do, your implementation is non-compliant.

2. Reject all is as prominent as Accept all

GDPR requires that declining consent is as easy as accepting it. A banner with a large "Accept All" button and a small grey "Manage Preferences" link does not satisfy this requirement in most EU jurisdictions. "Reject All" should appear at the same visual level as "Accept All."

3. Consent is specific to categories

Users must be able to consent to analytics separately from advertising separately from personalization. A binary Accept/Decline that bundles all cookie types is not GDPR-compliant. The banner must offer granular category-level controls.

4. Consent can be withdrawn easily

Users who have consented must be able to withdraw that consent at any time, as easily as they gave it. There should be a persistent mechanism — typically the CookieYes floating icon or an equivalent — that opens the preference center without requiring the user to clear their cookies or find a buried settings page.

5. Consent records are being stored

Check with your CMP provider that consent logs are being stored and are accessible. GDPR requires that you can demonstrate, on request, that a specific user consented to specific categories at a specific date and time. Most CMPs handle this automatically, but it requires the CMP to be configured with a consent log storage mechanism.

6. GTM Consent Mode is configured

In your GTM container, check that the Consent Initialization trigger is being used for tags that should be gated by consent. In the GTM overview, look at each tag's Consent Settings — tags that set cookies should require the relevant storage type (analytics_storage, ad_storage, etc.). If tags are not gated, the CMP is recording consent but GTM is ignoring it.

7. Consent defaults are set to denied

GTM Consent Mode requires that you set default consent states before the CMP has initialized. This is typically done with a gtag("consent", "default", {...}) call in the document head. All storage types should default to "denied" — the CMP then updates them to "granted" if the user accepts. If defaults are "granted," cookies are set before the banner even appears.

8. The banner appears for returning visitors who have not consented

Test in a private browsing window (which starts with no prior consent record). The banner should appear. Then accept the banner, close the window, open a new regular window, and visit the site. The banner should not appear again — the consent was stored. If the banner appears on every visit regardless of prior consent, the consent storage mechanism is broken.

9. Non-EU users receive appropriate treatment

Many CMPs support geo-targeting — showing a full consent banner to EU users, a CPRA-style opt-out notice to California users, and no banner to users in jurisdictions without applicable law. If your CMP is showing a full GDPR-style banner to all users regardless of location, you may be over-collecting consent and over-complicating the experience for users who are not subject to consent requirements.

10. The privacy policy accurately describes cookie use

The cookie banner and the privacy policy must be consistent. If your banner discloses that you use analytics, advertising, and personalization cookies, but your privacy policy only mentions analytics cookies, you have a documentation inconsistency that creates legal exposure. Run a comparison of what your CMP's cookie scan identifies and what your privacy policy discloses.

Not confident your consent implementation is actually compliant?

I audit consent implementations against GDPR and CPRA requirements, configure GTM Consent Mode correctly, and document the setup for your legal team.

Get a quote

Keep reading

Google Consent Mode v2: Implement It CookieYes vs OneTrust vs Osano GDPR vs CPRA: What Marketers Need to Know