GDPR Art. 13 and ePrivacy Art. 5(3) require that users be informed of every cookie set by the application, its purpose, and its retention period before consent is obtained. An incomplete cookie register means your consent banner is legally invalid — users cannot give informed consent to cookies they don't know exist. CCPA §1798.120 also requires disclosure of the categories of data collected through tracking technologies. Common AI-built apps add Facebook Pixel, Google Analytics, and Hotjar during different sessions and never update the consent configuration, leaving undisclosed cookies firing on every page load. ISO-27001:2022 A.5.34 requires organizations to maintain records of processing activities that include this level of classification.
High because an undisclosed cookie invalidates consent for that tracking category and exposes the business to regulatory action and user trust erosion, even when a banner is present.
Maintain a typed cookie registry in your codebase as the single source of truth for both the consent banner and the privacy policy cookie section.
// lib/cookies.ts — cookie registry
export const COOKIES = [
{
name: 'session',
type: 'necessary' as const,
purpose: 'Maintains authenticated session state',
expiry: 'Session',
thirdParty: false,
},
{
name: '_ga, _ga_XXXXXXXX',
type: 'analytics' as const,
purpose: 'Google Analytics — pseudonymous page view and behavior tracking',
expiry: '2 years',
thirdParty: true,
provider: 'Google LLC',
},
{
name: '_fbp',
type: 'marketing' as const,
purpose: 'Facebook Pixel — conversion tracking and ad attribution',
expiry: '90 days',
thirdParty: true,
provider: 'Meta Platforms Inc.',
},
] as const
Import this registry into your consent banner component to render the per-category toggle labels, and mirror it verbatim in your privacy policy's cookie table. Every time you add a third-party script, add its cookies here first.
ID: data-protection.data-collection-consent.cookie-classification
Severity: high
What to look for: Enumerate every relevant item. If a consent manager is in use, check its configuration file or dashboard for a cookie registry. Look for a cookie list in the privacy policy. If custom-built, check the consent banner component for a cookies array or config object that lists cookies. For each cookie (first-party and third-party), verify it has: type (necessary/analytics/marketing), a human-readable purpose description, its expiration, and whether it is set by a third party. Pay attention to third-party cookies set by loaded scripts (Facebook Pixel, Google Analytics, Intercom, Hotjar) — these must also be classified.
Pass criteria: At least 1 of the following conditions is met. All cookies set by the application or its third-party services are classified and documented, either in the consent manager configuration or in the privacy policy. Classifications cover at minimum: essential (session tokens, CSRF), analytics, and marketing. Each entry includes purpose and expiration.
Fail criteria: Cookies are set with no classification or documentation. The consent tool is configured but its cookie registry is incomplete (e.g., Facebook Pixel cookies are missing). No distinction between cookie types.
Skip (N/A) when: No cookies are used (static site with no third-party services and no user authentication).
Cross-reference: For user-facing accessibility and compliance, the Accessibility Basics audit covers foundational requirements.
Detail on fail: Specify what is missing. Example: "No cookie classification found. 8 cookies are set (including _ga, _fbp, _hjid) but none are documented." or "Consent manager configured but Facebook Pixel and Hotjar cookies are absent from the registry.".
Remediation: Maintain a cookie register. At minimum, document it in your privacy policy. Tools like Cookiebot or OneTrust can auto-scan and generate a register. If building manually:
// Cookie registry (source of truth for consent banner)
export const COOKIES = [
{
name: 'session',
type: 'necessary',
purpose: 'Maintains authenticated session state',
expiry: 'Session',
thirdParty: false,
},
{
name: '_ga, _ga_XXXXXXXX',
type: 'analytics',
purpose: 'Google Analytics — tracks page views and user behavior pseudonymously',
expiry: '2 years',
thirdParty: true,
provider: 'Google LLC',
},
{
name: '_fbp',
type: 'marketing',
purpose: 'Facebook Pixel — tracks conversions and ad attribution',
expiry: '90 days',
thirdParty: true,
provider: 'Meta Platforms Inc.',
},
] as const
Reference this registry in your consent banner and mirror it in your privacy policy.