Cookie Consent Audit: Is Your CMP Actually GDPR Compliant? (2026 Checklist)
Most SaaS companies have a cookie banner. Most of those banners are non-compliant. That's not an opinion — it's the conclusion of regulators across Europe who have spent the last three years systematically auditing consent management platforms and issuing fines for everything from pre-ticked boxes to buried "reject" buttons.
This guide gives you an 18-point audit checklist to test your own setup. Use it alongside our Cookie Consent Audit Generator to produce a documented compliance assessment.
Why Your Cookie Banner Is Probably Non-Compliant
The CNIL (France), ICO (UK), DSK (Germany), AEPD (Spain), and Garante (Italy) have all published enforcement actions specifically targeting cookie consent dark patterns. Common violations include:
- Asymmetric buttons — large colourful "Accept All" button, tiny grey link for "Manage Preferences"
- Cookie-on-load — firing analytics and marketing cookies before the user has accepted
- Consent by scrolling or inactivity — GDPR Art. 4(11) requires an unambiguous affirmative action
- No "Reject All" option — users must be able to decline as easily as they accept
- Pre-ticked boxes — illegal under GDPR since day one, still found regularly
- Consent without granularity — a single "accept all" button doesn't give specific consent per purpose
The CNIL's 2021 cookie guidance resulted in enforcement actions against Google (€150M), Facebook (€60M), and hundreds of smaller companies. The ICO issued a formal update to its PECR guidance in 2024 specifically targeting dark patterns.
The Legal Framework: ePrivacy + GDPR + CCPA
Cookie compliance in the EU sits at the intersection of two laws:
- ePrivacy Directive (2002/58/EC) — requires prior consent before storing or accessing non-essential cookies on a user's device. This is the legal basis for the cookie banner requirement.
- GDPR — sets the standard for what "consent" means: freely given, specific, informed, unambiguous, withdrawable, not bundled with T&Cs.
In the UK, PECR (Privacy and Electronic Communications Regulations 2003) applies the same rule with ICO enforcement.
In the US, CCPA/CPRA adds a separate requirement for a "Do Not Sell or Share My Personal Information" link where ad networks are involved — this is not a cookie banner, it's a separate opt-out page.
The 18-Point Cookie Consent Audit Checklist
Consent Validity
| Check | Requirement | Common Failure |
|---|---|---|
| 1. Cookies fire only after acceptance | Non-essential cookies (analytics, marketing) must not set until user accepts | GA4 fires on page load before any interaction |
| 2. Affirmative action required | GDPR Art. 4(11): consent = unambiguous indication. Scrolling or inactivity is not consent. | Banner says "By continuing to use this site, you accept cookies" |
Banner Design
| Check | Requirement | Common Failure |
|---|---|---|
| 3. "Reject All" equally prominent as "Accept All" | ICO, CNIL, DSK guidance: accept and reject must be equal prominence. No dark patterns. | "Accept All" = large primary button. "Manage" = small text link buried in preferences. |
| 4. Controller identity disclosed | Users must know who is collecting data before consenting | Banner says "We use cookies" without naming the company |
| 5. Link to Cookie Policy accessible before consent | GDPR Art. 13 requires further information link | Cookie policy link only in footer, not on the banner |
Granularity
| Check | Requirement | Common Failure |
|---|---|---|
| 6. Category-by-category consent available | GDPR requires specific consent per purpose. Analytics consent ≠ marketing consent. | Only "Accept All" or "Reject All" — no granular control by category |
Withdrawal
| Check | Requirement | Common Failure |
|---|---|---|
| 7. Consent withdrawal accessible at any time | GDPR Art. 7(3): withdrawal must be as easy as giving consent. Persistent access required. | No cookie settings widget after initial choice; user must clear browser cache |
| 8. "Reject All" available in preference centre | Users who previously consented must be able to withdraw through the same preference centre | Preference centre only allows individual category toggles, not "withdraw all" |
Consent Records
| Check | Requirement | Common Failure |
|---|---|---|
| 9. Consent log stored (timestamp, choices, banner version) | GDPR Art. 7(1): controller must demonstrate consent was obtained | CMP stores a session cookie but no server-side consent log |
| 10. Banner version tracked in consent record | If purposes change, prior consents are invalid for new purposes. Version tracking identifies who needs re-consent. | Consent record stores "accepted" but not which version of the banner or which purposes |
Google Consent Mode v2
| Check | Requirement | Common Failure |
|---|---|---|
| 11. GCM v2 signals implemented (all 4) | From March 2024, Google requires analytics_storage, ad_storage, ad_user_data, and ad_personalization signals for EEA/UK personalised ads | Only 2 signals (analytics_storage, ad_storage) — missing ad_user_data and ad_personalization |
| 12. CMP is Google-certified partner (or manual implementation verified) | Google-certified CMPs generate correct TC strings | Using an uncertified CMP that doesn't correctly pass signals |
Cookie Scanning
| Check | Requirement | Common Failure |
|---|---|---|
| 13. Regular cookie scan (quarterly minimum) | Third-party scripts add cookies without notice. Regular scans catch undisclosed cookies. | Cookie policy written once, never updated as new tools are added |
| 14. All cookies in declaration match cookies on site | Every cookie must be disclosed. Undisclosed cookies = direct GDPR violation. | Cookie policy lists 12 cookies; scanner finds 47 |
Geo-Targeting, IAB TCF, CCPA
| Check | Requirement | Common Failure |
|---|---|---|
| 15. Banner shown to all EU/UK visitors | GDPR applies based on where the user is, not where they're from | Consent banner only appears for users with EU locale/language setting |
| 16. IAB TCF 2.2 used if programmatic advertising is involved | DSPs require valid TC strings from registered CMPs | Using an unregistered CMP that can't generate valid TC strings |
| 17. CCPA "Do Not Sell or Share" link in footer | CCPA §1798.135: clear and conspicuous link for California users | No opt-out link, or link goes to a broken page |
| 18. Cookie Policy up to date | All current cookies, purposes, and third parties listed with duration and type | Policy last updated in 2022, doesn't mention tools added since |
CMP Platform-Specific Notes
OneTrust
Widely used by enterprise. Verify: auto-blocking mode is enabled (not just script categorisation), consent records are stored in the OneTrust cloud (not just browser-side), GCM v2 is configured via the Google Consent Mode integration, and your auto-scan is running on at least a monthly schedule. The default OneTrust configuration does NOT block scripts — you must enable "AutoBlock" in settings.
Cookiebot / Usercentrics
Generally strong out of the box. Key check: verify your script is loaded in "Blocking Mode" and not just in "Audit Mode". Audit Mode scans cookies but does not block them — a common misconfiguration.
CookieYes
Popular for small SaaS. Verify: the JavaScript widget is in the <head> before any other scripts (especially GA4 and Meta Pixel). If Google Tag Manager loads before CookieYes, your analytics will fire on every page load regardless of consent.
Custom / No CMP
If you've built your own consent system, you need to verify every aspect of the checklist manually. Most custom implementations fail on: consent records (no server-side storage), GCM v2 (not implemented), and banner version tracking (no versioning).
What Regulators Look For
During an ICO or CNIL investigation, the first thing a regulator tests is your cookie banner. They use browser developer tools to check: (1) which cookies fire before consent, (2) whether the consent signal is actually being sent to your scripts, and (3) what happens when they click "Reject".
If you're in the EU, the CNIL's cookie compliance tool and the ICO's cookie audit guidance describe exactly what auditors check.
30-Day Remediation Priority Order
- Week 1 (Critical): Ensure no cookies fire before consent. Enable blocking mode in your CMP. Add equal-prominence "Reject All" button.
- Week 2: Run a full cookie scan. Update your cookie policy to match reality. Ensure consent withdrawal is accessible at all times.
- Week 3: Implement or verify GCM v2 (all 4 signals). Ensure consent records are stored server-side with timestamp and banner version.
- Week 4: Add CCPA opt-out link (if serving California). Add granular category controls to preference centre. Set up quarterly scan reminder.
Use our Cookie Consent Audit Generator to assess all 18 controls and generate a documented audit report. Pair with a Cookie Policy Generator to update your public-facing policy.
Related guides: Cookie Policy vs Cookie Consent · GDPR Consent Management 2026 · Cookie Compliance for SaaS 2026
⚠️ This guide is for informational purposes and does not constitute legal advice. Cookie consent requirements vary by jurisdiction and are subject to ongoing regulatory guidance updates.