Every Cookie & Consent Compliance Audit check

ePrivacy Art. 5(3) prohibits storing information on a user's device without prior informed consent. When analytics and ad pixels fire on page load before a consent banner appears, every first visit becomes an unlawful data collection event. Regulators — the CNIL, ICO, and Austrian DSB — have each issued fines specifically for this ordering failure, not for lacking a banner entirely. The business risk is not theoretical: a single DPA complaint can trigger an investigation across an entire platform.

Why this severity: Critical because a mis-ordered load sequence violates ePrivacy Art. 5(3) on every first page view, exposing the operator to per-visit regulatory liability before any user interaction occurs.

GDPR Art. 4(11) defines consent as a 'freely given, specific, informed and unambiguous indication' — pre-ticked boxes satisfy none of those criteria. The CJEU's Planet49 ruling (C-673/17, 2019) settled this definitively: checkboxes ticked by default do not constitute valid consent under either GDPR Art. 7(2) or ePrivacy Art. 5(3). Any analytics or marketing data collected under a pre-ticked opt-out model is collected without lawful basis, making every downstream use — ad targeting, conversion tracking, behavioral profiling — equally unlawful.

Why this severity: Critical because pre-ticked non-essential categories constitute invalid consent under GDPR Art. 7(2) and the Planet49 CJEU ruling, rendering all data collected under them without lawful basis.

GDPR Recital 43 states that consent is not freely given when the data subject cannot refuse without detriment, and GDPR Art. 7 requires withdrawal to be as easy as giving consent. A banner with only an 'Accept All' button — no per-category controls, no reject path — is an unlawful consent mechanism regardless of its visual polish. Regulators treat accept-only banners as no consent at all, meaning every cookie set under them lacks lawful basis under both GDPR Art. 6(1)(a) and ePrivacy Art. 5(3).

Why this severity: High because a banner lacking a reject path or per-category controls is treated by EU regulators as an unlawful consent mechanism, invalidating all non-essential cookies collected under it.

GDPR Art. 4(11) requires consent to be 'freely given' — a standard the CNIL (FR), ICO (UK), and Belgian DPA have each applied to banner design, finding that visually suppressed reject buttons constitute coercive design that vitiates free choice. Dark patterns documented by regulators include: ghost-styled reject buttons next to primary-styled accept buttons, reject paths buried behind multi-step preference dialogs, and labels like 'I understand' that conflate dismissal with acceptance. Data collected via these patterns has been ruled to lack valid consent under ePrivacy Art. 5(3).

Why this severity: High because regulators in multiple EU jurisdictions have explicitly ruled that asymmetric button prominence constitutes a dark pattern that invalidates consent under GDPR Art. 7(4) and Art. 4(11).

A consent banner that is keyboard-inaccessible is functionally invisible to screen reader users and keyboard-only navigators, forcing them to accept cookies by default or abandon the site. WCAG 2.2 SC 2.1.1 requires all functionality to be operable via keyboard; SC 4.1.2 requires interactive controls to have accessible names. Section 508 (2018 refresh 502.3.1) applies the same standard to US government-adjacent products. The legal exposure compounds: a banner that traps or loses keyboard focus also violates WCAG 2.2 SC 2.1.2 (no keyboard trap), creating both accessibility and consent-validity failures simultaneously.

Why this severity: Medium because keyboard and screen-reader inaccessibility violates WCAG 2.2 SC 2.1.1 and 4.1.2, but does not directly invalidate the consent mechanism for sighted mouse users who can still interact with it.

Under GDPR Art. 7(1), the controller must be able to demonstrate that consent was obtained — which presupposes that the consent decision is durably stored. If consent is written to `sessionStorage` instead of `localStorage` or a first-party cookie, the banner reappears on every new browser session, which undermines CCPA §1798.135's opt-out persistence requirement and forces users to re-engage with the consent mechanism repeatedly. ePrivacy Art. 5(3) additionally requires that access to stored information only occur after consent is obtained — storing consent in a mechanism that doesn't survive the session means scripts fire on the very next load.

Why this severity: High because session-only consent storage causes the consent mechanism to functionally reset on every new tab or browser restart, making sustained lawful processing impossible under GDPR Art. 7 and ePrivacy Art. 5(3).

ePrivacy Art. 5(3) prohibits accessing or storing information on a device without prior consent. GDPR Art. 6(1)(a) requires a lawful basis — and for non-essential tracking, consent is the only available basis. When GA4, Facebook Pixel, or Segment loads via a static `<script>` tag or an unconditional `strategy='afterInteractive'` Next.js `<Script>`, it fires before any user interaction, collecting device identifiers and behavioral data without a lawful basis. CCPA §1798.135 imposes the parallel obligation for California residents' right to opt out of sale/sharing of personal information, which ad pixels facilitate. This is the most commonly litigated technical failure in DPA enforcement actions.

Why this severity: Critical because a static or unconditionally loaded analytics script fires on every page view, collecting personal data without any lawful basis under GDPR Art. 6(1)(a) and ePrivacy Art. 5(3) — the core violation regulators fine for.

GDPR Art. 7(3) states that a data subject has the right to withdraw consent at any time, and Recital 32 clarifies that consent must be granular and specific to each purpose. When new tracking purposes or third parties are added without re-prompting users, the original consent — even if validly obtained — no longer covers the new processing. ePrivacy Art. 5(3) ties the scope of consent to the specific purposes declared at the time of collection. A user who consented to analytics-only in 2024 has not consented to the marketing pixel added in 2025, and treating their stored preference as blanket consent for all future additions is unlawful.

Why this severity: Medium because the failure only affects users with previously stored consent — it does not affect new visitors — but it invalidates consent for all returning users when new tracking is added without triggering re-consent.

GDPR Art. 7(1) places the burden of proof on the controller to demonstrate that consent was obtained. Art. 5(2) (accountability) reinforces this: the controller must be able to show, on request, that consent was lawful. A stored boolean `'true'` fails this standard — it records that something was accepted, not when, under what banner version, or for which specific purposes. Recital 42 notes that consent should include the time of consent and information about what was consented to. Without a timestamped, structured record, the controller cannot demonstrate compliance to a DPA or defend against a subject access request.

Why this severity: Medium because absent timestamp and version metadata makes it impossible to demonstrate lawful consent under GDPR Art. 7(1) and Art. 5(2), but the underlying processing may still be lawful if consent was genuinely given.

GDPR Art. 7(3) guarantees the right to withdraw consent at any time, and requires withdrawal to be 'as easy as giving consent.' ePrivacy Art. 5(3) ties this to the ongoing lawfulness of accessing device storage — once consent is withdrawn, tracking must stop. CCPA §1798.135 separately requires a permanent, always-accessible opt-out mechanism. A banner that can only be seen once — dismissed and never reachable again — makes withdrawal functionally impossible, which means any ongoing tracking after the initial consent period continues without a valid ongoing basis.

Why this severity: Low because the violation only affects users who change their minds after initial consent; it does not affect the initial consent act itself, reducing its severity compared to the upstream banner and enforcement checks.

ePrivacy Art. 5(3) requires informed consent before accessing device storage — users cannot give informed consent to cookies they don't know exist. GDPR Art. 13 requires controllers to disclose the categories of data processed and the recipients, which for cookie-based tracking means naming every third-party tool and the cookies it sets. CCPA §1798.135 requires disclosure of the categories of personal information collected and shared. An undocumented cookie from Hotjar or a Facebook Pixel is not a minor oversight — it is an undisclosed collection of behavioral data shared with a third-party processor outside the scope of any consent obtained.

Why this severity: High because undocumented cookies represent undisclosed data collection, directly violating the transparency obligations of GDPR Art. 13 and the informed-consent prerequisite of ePrivacy Art. 5(3).

ePrivacy Art. 5(3) prohibits storing information on a device for any purpose not disclosed at the time of consent. GDPR Art. 5(1)(a)'s transparency principle and CWE-359 (exposure of private information) both apply when cookies are set that users have not been told about. Google Tag Manager is a common source of shadow cookies: a new tag added to the GTM container can set cookies without any code change, making code review an insufficient audit method. A/B testing and session recording tools are frequently added by marketing teams without coordinating with the consent setup, creating undisclosed collection that continues silently.

Why this severity: Medium because unclassified cookies represent undisclosed processing that violates ePrivacy Art. 5(3) and GDPR Art. 5(1)(a), but the impact is typically narrower than the primary consent failures upstream.

ePrivacy Art. 5(3) exempts from consent only cookies 'strictly necessary' for a service explicitly requested by the user — a narrow carve-out that does not cover analytics, A/B testing, or affiliate attribution. GDPR Art. 6(1)(b)'s performance-of-contract basis equally does not extend to tracking that serves the operator's interests rather than delivering the requested service. Miscategorizing GA as 'functional' to bypass the consent requirement is a documented enforcement priority: the Austrian DSB, Italian Garante, and CNIL have all found this specific misclassification to constitute an unlawful consent mechanism under GDPR Recital 47.

Why this severity: Low because the error is a miscategorization in the registry rather than an operational tracking failure, but it undermines the legal basis for treating those cookies as consent-exempt and exposes the consent architecture to challenge.

GDPR Art. 13(1)(e) requires disclosure of the recipients or categories of recipients of personal data — which for cookie-based tracking means identifying the third-party providers by name, not just category. Users making a consent decision about 'analytics cookies' cannot give informed consent under GDPR Art. 4(11) without knowing that accepting means sharing behavioral data with Google LLC or Meta Platforms Inc. YouTube embeds are a common blind spot: an embedded `youtube.com` iframe — not `youtube-nocookie.com` — sets `VISITOR_INFO1_LIVE` and `YSC` cookies on page load, before any user interaction with the video.

Why this severity: Low because the failure is one of disclosure completeness rather than the presence of unconsented tracking, but it renders consent uninformed and therefore invalid under GDPR Art. 4(11) for the undisclosed providers.

GDPR Art. 13 requires controllers to provide data subjects with information about cookies and tracking 'at the time when personal data are obtained' — meaning before or at the moment of consent, not buried in a terms document. ePrivacy Art. 5(3) ties the validity of consent to the user being 'provided with clear and comprehensive information.' A consent banner with no link to a cookie policy asks users to consent without knowing what they are consenting to. CCPA §1798.135 separately requires a 'Do Not Sell or Share' notice that must reference the categories of data and how to opt out, typically in a dedicated policy document.

Why this severity: Low because the absence of a linked cookie policy impairs informed consent but does not itself cause unlawful data collection — it reduces the quality and defensibility of consent obtained rather than making the act of collection per se unlawful.

GDPR Art. 13(1)(c) requires disclosure of 'the purposes of the processing for which the personal data are intended as well as the legal basis for the processing.' For cookie-based tracking, this means naming the specific cookies, their retention periods, and who processes the data — not just stating 'we use analytics cookies.' CNIL enforcement guidelines specifically require per-cookie documentation by name. When a cookie policy lists only category descriptions, users cannot identify individual trackers, compare them against browser developer tools, or make meaningful decisions about specific processing activities.

Why this severity: Info because the failure is a documentation gap that reduces consent quality and regulatory defensibility rather than causing active unlawful processing — the consent mechanism and enforcement can still function without it.

GDPR Art. 13(1)(e) requires disclosure of recipients or categories of recipients — which maps directly onto the first-party/third-party distinction in cookie usage. When third-party cookies are listed alongside first-party cookies in an undifferentiated table, users cannot assess the cross-site tracking implications. Third-party cookies set by Google or Meta persist across every site where those providers' scripts run; first-party cookies are domain-scoped. ePrivacy Art. 5(3) consent must be informed about this distinction because the scope of data access differs materially. CCPA §1798.135 similarly requires disclosure of whether personal information is 'sold or shared' with third parties — a concept that maps directly onto third-party cookie tracking.

Why this severity: Info because the failure is a presentational gap in an existing policy rather than an active tracking violation, but it reduces the quality of the informed consent obtained and limits users' ability to understand the privacy implications of third-party processing.

GDPR Art. 13 requires that disclosures be accurate and current — a cookie policy listing Hotjar when the application no longer loads Hotjar, or omitting Segment which was added last quarter, means users are making consent decisions based on incorrect information. GDPR Art. 5(1)(a)'s accuracy principle applies to policy disclosures as much as to personal data records. A policy with placeholder text or a stale 'Last updated: 2022' date is a signal regulators treat as evidence that the compliance process is not operational, which can convert an isolated technical finding into a systemic accountability failure under Art. 5(2).

Why this severity: Info because a stale policy is a documentation and accountability failure rather than an active collection violation, but it demonstrates to regulators that the consent compliance process is not maintained — compounding the severity of any co-existing collection failures.