Users can withdraw consent as easily as they gave it

Why it matters

GDPR Art. 7(3) states explicitly that withdrawal of consent must be as easy as giving it. If a user accepted analytics cookies in one click from a banner, withdrawal cannot require navigating to three nested settings menus, sending an email, or hunting for a link that only appears during the initial visit. This symmetry requirement is not ambiguous — it is black-letter GDPR text. Applications that bury consent management after the initial banner interaction effectively make consent irrevocable in practice, which invalidates the consent entirely under Art. 4(11) (consent must be freely withdrawable).

Remediation

Add a persistent 'Cookie Preferences' button to every page footer that reopens the consent banner. Withdrawal must stop non-essential scripts on subsequent navigation.

// Footer component
function handleReopenConsent() {
  localStorage.removeItem('gdpr_consent_v1')
  window.dispatchEvent(new CustomEvent('reopen-consent-banner'))
}

<button onClick={handleReopenConsent} className="text-sm underline">
  Cookie Preferences
</button>

// In ConsentBanner.tsx — listen for the reopen event
useEffect(() => {
  const handler = () => setVisible(true)
  window.addEventListener('reopen-consent-banner', handler)
  return () => window.removeEventListener('reopen-consent-banner', handler)
}, [])

Verify that withdrawing consent actually stops the associated scripts — clear the stored consent, re-check the gate logic, and confirm analytics events are no longer fired on the next page navigation after withdrawal.

Detection

ID: gdpr-readiness.consent-management.easy-withdrawal
Severity: medium
What to look for: GDPR Article 7(3) states that withdrawal of consent must be as easy as giving it. If a consent banner allows users to accept cookies in one click, withdrawal should also be achievable in approximately one click — not buried in five nested menus. Look for a persistent link or button that reopens the consent preference center (often labeled "Manage Cookie Preferences," "Privacy Settings," or similar). This is commonly placed in the page footer. Check whether clicking this link actually reopens the consent banner/dialog and allows the user to change their choices. Check the account settings page for a consent management section for authenticated users. Verify that withdrawing consent actually stops the associated scripts from running on subsequent pages. Count all instances found and enumerate each.
Pass criteria: A clearly accessible link to manage or withdraw consent is present on all pages (typically footer). Clicking it opens the consent preference center and allows changes. Withdrawal takes effect immediately — non-essential scripts stop on subsequent navigation. The process requires no more steps than the original consent. At least 1 implementation must be confirmed.
Fail criteria: Consent withdrawal requires emailing a support address. No persistent link to manage preferences on any page. Consent manager exists but the "manage preferences" link is absent from the footer. Withdrawing consent in settings does not actually stop scripts from running.
Skip (N/A) when: Application has no consent mechanism because it has no non-essential cookies or tracking.
Detail on fail: Example: "No 'Manage cookie preferences' link in the footer or anywhere on the site after initial consent is given." or "Cookie preferences link exists in footer but clicking it shows a static page, not an interactive preference center.".

Remediation: Add a persistent footer link that reopens the consent preference center:

// In your site footer — add a "Cookie Preferences" button
export function Footer() {
  function handleReopenConsent() {
    localStorage.removeItem('gdpr_consent_v1')
    window.dispatchEvent(new CustomEvent('reopen-consent-banner'))
  }

  return (
    <footer>
      <nav>
        <a href="/privacy">Privacy Policy</a>
        <a href="/terms">Terms</a>
        <button onClick={handleReopenConsent} className="text-sm underline">
          Cookie Preferences
        </button>
      </nav>
    </footer>
  )
}

In your ConsentBanner component, listen for the reopen-consent-banner event and set visible back to true:

useEffect(() => {
  const handler = () => setVisible(true)
  window.addEventListener('reopen-consent-banner', handler)
  return () => window.removeEventListener('reopen-consent-banner', handler)
}, [])

Why it matters

Remediation

Add a persistent 'Cookie Preferences' button to every page footer that reopens the consent banner. Withdrawal must stop non-essential scripts on subsequent navigation.

// Footer component
function handleReopenConsent() {
  localStorage.removeItem('gdpr_consent_v1')
  window.dispatchEvent(new CustomEvent('reopen-consent-banner'))
}

<button onClick={handleReopenConsent} className="text-sm underline">
  Cookie Preferences
</button>

// In ConsentBanner.tsx — listen for the reopen event
useEffect(() => {
  const handler = () => setVisible(true)
  window.addEventListener('reopen-consent-banner', handler)
  return () => window.removeEventListener('reopen-consent-banner', handler)
}, [])

Detection

ID: gdpr-readiness.consent-management.easy-withdrawal
Severity: medium
What to look for: GDPR Article 7(3) states that withdrawal of consent must be as easy as giving it. If a consent banner allows users to accept cookies in one click, withdrawal should also be achievable in approximately one click — not buried in five nested menus. Look for a persistent link or button that reopens the consent preference center (often labeled "Manage Cookie Preferences," "Privacy Settings," or similar). This is commonly placed in the page footer. Check whether clicking this link actually reopens the consent banner/dialog and allows the user to change their choices. Check the account settings page for a consent management section for authenticated users. Verify that withdrawing consent actually stops the associated scripts from running on subsequent pages. Count all instances found and enumerate each.
Pass criteria: A clearly accessible link to manage or withdraw consent is present on all pages (typically footer). Clicking it opens the consent preference center and allows changes. Withdrawal takes effect immediately — non-essential scripts stop on subsequent navigation. The process requires no more steps than the original consent. At least 1 implementation must be confirmed.
Fail criteria: Consent withdrawal requires emailing a support address. No persistent link to manage preferences on any page. Consent manager exists but the "manage preferences" link is absent from the footer. Withdrawing consent in settings does not actually stop scripts from running.
Skip (N/A) when: Application has no consent mechanism because it has no non-essential cookies or tracking.
Detail on fail: Example: "No 'Manage cookie preferences' link in the footer or anywhere on the site after initial consent is given." or "Cookie preferences link exists in footer but clicking it shows a static page, not an interactive preference center.".

Remediation: Add a persistent footer link that reopens the consent preference center:

// In your site footer — add a "Cookie Preferences" button
export function Footer() {
  function handleReopenConsent() {
    localStorage.removeItem('gdpr_consent_v1')
    window.dispatchEvent(new CustomEvent('reopen-consent-banner'))
  }

  return (
    <footer>
      <nav>
        <a href="/privacy">Privacy Policy</a>
        <a href="/terms">Terms</a>
        <button onClick={handleReopenConsent} className="text-sm underline">
          Cookie Preferences
        </button>
      </nav>
    </footer>
  )
}

In your ConsentBanner component, listen for the reopen-consent-banner event and set visible back to true:

useEffect(() => {
  const handler = () => setVisible(true)
  window.addEventListener('reopen-consent-banner', handler)
  return () => window.removeEventListener('reopen-consent-banner', handler)
}, [])

Users can withdraw consent as easily as they gave it

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Users can withdraw consent as easily as they gave it

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History