GDPR Art. 13 requires controllers to provide data subjects with information about cookies and tracking 'at the time when personal data are obtained' — meaning before or at the moment of consent, not buried in a terms document. ePrivacy Art. 5(3) ties the validity of consent to the user being 'provided with clear and comprehensive information.' A consent banner with no link to a cookie policy asks users to consent without knowing what they are consenting to. CCPA §1798.135 separately requires a 'Do Not Sell or Share' notice that must reference the categories of data and how to opt out, typically in a dedicated policy document.
Low because the absence of a linked cookie policy impairs informed consent but does not itself cause unlawful data collection — it reduces the quality and defensibility of consent obtained rather than making the act of collection per se unlawful.
Create app/cookies/page.tsx (or an equivalent static MDX page) and link it directly from the consent banner's introductory text. The page must be publicly accessible without authentication.
// In CookieBanner.tsx — add the link before the action buttons
<p className="text-sm text-gray-600">
We use cookies to improve your experience.{' '}
<a href="/cookies" className="underline" target="_blank" rel="noopener noreferrer">
Read our Cookie Policy
</a>{' '}
to see exactly what we collect and why.
</p>
Generate the page content from COOKIE_REGISTRY (see all-cookies-documented remediation) so it stays in sync with actual cookie usage automatically. The route should appear in the site's sitemap.xml and should not require a robots: { index: false } directive.
ID: cookie-consent-compliance.cookie-policy.cookie-policy-page
Severity: low
What to look for: Look for a dedicated cookie policy or cookie information page. Check routes: /cookies, /cookie-policy, /privacy/cookies, /legal/cookies. Alternatively, check the main privacy policy page for a dedicated cookies section. Find the consent banner component and look for a link to the cookie policy — typically "Learn more", "Read our Cookie Policy", or "View Cookie Policy" — within the banner's text or a "Manage preferences" panel. Verify the link is present and points to a real page (not a 404 or a generic privacy policy with no cookie-specific content). Check whether the cookie policy page is accessible without authentication.
Pass criteria: Count all cookie policy pages or sections. A dedicated cookie policy page (or a clearly labeled cookies section within the privacy policy) exists, is publicly accessible without login, and is linked directly from the consent banner. At least 1 dedicated cookie policy page or section must exist and be linked from the consent banner.
Fail criteria: No dedicated cookie policy page and no cookies section in the privacy policy. Cookie policy page exists but the consent banner contains no link to it. Cookie policy is behind a login wall. Link is present in the banner but points to a 404 or the homepage.
Skip (N/A) when: Application sets no cookies and loads no third-party scripts (already skipping all-cookies-documented).
Detail on fail: Example: "No cookie policy page found. Privacy policy exists at /privacy but contains no dedicated cookies section." or "Cookie policy exists at /cookies but the consent banner contains no link to it — users cannot learn more before consenting.".
Remediation: Create a cookie policy page and link it from the banner:
// In your CookieBanner component, add a link:
<p className="text-sm text-gray-600">
We use cookies to enhance your experience.{' '}
<a href="/cookies" className="underline" target="_blank" rel="noopener">
Read our Cookie Policy
</a>{' '}
to learn what we use and why.
</p>
The cookie policy page should be a simple static page. In Next.js App Router:
app/cookies/page.tsx — the page component
app/cookies/page.mdx — alternatively, an MDX file if you use MDX for content
The page content should be generated from your COOKIE_REGISTRY constant (see all-cookies-documented remediation) so it stays in sync with actual cookie usage automatically.