Dedicated cookie policy page exists and is linked from consent banner

GDPR Art. 13 requires controllers to provide data subjects with information about cookies and tracking 'at the time when personal data are obtained' — meaning before or at the moment of consent, not buried in a terms document. ePrivacy Art. 5(3) ties the validity of consent to the user being 'provided with clear and comprehensive information.' A consent banner with no link to a cookie policy asks users to consent without knowing what they are consenting to. CCPA §1798.135 separately requires a 'Do Not Sell or Share' notice that must reference the categories of data and how to opt out, typically in a dedicated policy document.

Create app/cookies/page.tsx (or an equivalent static MDX page) and link it directly from the consent banner's introductory text. The page must be publicly accessible without authentication.

// In CookieBanner.tsx — add the link before the action buttons
<p className="text-sm text-gray-600">
  We use cookies to improve your experience.{' '}
  <a href="/cookies" className="underline" target="_blank" rel="noopener noreferrer">
    Read our Cookie Policy
  </a>{' '}
  to see exactly what we collect and why.
</p>

Generate the page content from COOKIE_REGISTRY (see all-cookies-documented remediation) so it stays in sync with actual cookie usage automatically. The route should appear in the site's sitemap.xml and should not require a robots: { index: false } directive.

• ID: cookie-policy-page

• Severity: low

• What to look for: Look for a dedicated cookie policy or cookie information page. Check routes: /cookies, /cookie-policy, /privacy/cookies, /legal/cookies. Alternatively, check the main privacy policy page for a dedicated cookies section. Find the consent banner component and look for a link to the cookie policy — typically "Learn more", "Read our Cookie Policy", or "View Cookie Policy" — within the banner's text or a "Manage preferences" panel. Verify the link is present and points to a real page (not a 404 or a generic privacy policy with no cookie-specific content). Check whether the cookie policy page is accessible without authentication.

• Pass criteria: Count all cookie policy pages or sections. A dedicated cookie policy page (or a clearly labeled cookies section within the privacy policy) exists, is publicly accessible without login, and is linked directly from the consent banner. At least 1 dedicated cookie policy page or section must exist and be linked from the consent banner.

• Fail criteria: No dedicated cookie policy page and no cookies section in the privacy policy. Cookie policy page exists but the consent banner contains no link to it. Cookie policy is behind a login wall. Link is present in the banner but points to a 404 or the homepage.

• Skip (N/A) when: Application sets no cookies and loads no third-party scripts (already skipping all-cookies-documented).

• Detail on fail: Example: "No cookie policy page found. Privacy policy exists at /privacy but contains no dedicated cookies section." or "Cookie policy exists at /cookies but the consent banner contains no link to it — users cannot learn more before consenting.".

• Remediation: Create a cookie policy page and link it from the banner:

  // In your CookieBanner component, add a link:
  <p className="text-sm text-gray-600">
    We use cookies to enhance your experience.{' '}
    <a href="/cookies" className="underline" target="_blank" rel="noopener">
      Read our Cookie Policy
    </a>{' '}
    to learn what we use and why.
  </p>
  

  The cookie policy page should be a simple static page. In Next.js App Router:

  app/cookies/page.tsx   — the page component
  app/cookies/page.mdx   — alternatively, an MDX file if you use MDX for content
  

  The page content should be generated from your COOKIE_REGISTRY constant (see all-cookies-documented remediation) so it stays in sync with actual cookie usage automatically.