Cookie/tracking declaration is present in privacy policy or cookie policy

Why it matters

GDPR Art. 13 and CCPA §1798.100 require disclosure of what data is collected, why, and by whom — at the point of collection. A missing or unlinked privacy or cookie policy leaves users unable to exercise their rights (access, deletion, opt-out) and exposes operators to regulatory complaints. Under GDPR, the absence of a privacy notice is itself a violation independent of whether any data was misused. Consent management platforms auto-generate cookie declarations, but only if a policy page is present and linked where users can find it.

Remediation

Create a privacy policy page at app/privacy/page.tsx listing the analytics tools you use and how users can opt out. Then link it from your footer component:

// components/Footer.tsx
<Link href="/privacy">Privacy Policy</Link>
<Link href="/cookies">Cookie Policy</Link>

Services like GetTerms, Termly, or iubenda generate GDPR-conformant policy text — a generated baseline beats no policy. If you use a CMP (CookieYes, OneTrust), embed its auto-generated cookie declaration table on the policy page so the tool list stays current as you add or remove analytics vendors.

Detection

ID: marketing-analytics.privacy-compliance.cookie-declaration
Severity: medium
What to look for: A cookie or privacy policy page should exist and reference the analytics tools in use. Check for:
- A /privacy, /privacy-policy, /cookies, or /cookie-policy route in the project
- Links to these pages in the footer
- If using a CMP (OneTrust, CookieYes), a cookie declaration widget is often auto-generated — look for the CMP embed code
Note: This check cannot verify the legal sufficiency of a privacy policy — only whether one exists and references analytics/tracking.
Pass criteria: At least 1 privacy policy or cookie policy page exists (as a route or static file) AND is linked from the site footer or consent banner. Count the number of footer links to privacy/cookie policy pages.
Fail criteria: 0 privacy policy or cookie policy pages found, or a policy page exists but is linked from 0 footer components or consent banners.
Skip (N/A) when: No analytics is present. Skip for internal tools or developer-only projects with no public users.
Detail on fail: "No /privacy or /privacy-policy route found. A privacy policy disclosing cookie and analytics usage is legally required for sites collecting user data in the EU, UK, and California."
Remediation: Create a privacy policy page at app/privacy/page.tsx (or pages/privacy.tsx) that lists the analytics tools you use, what data they collect, and how users can opt out. Link it from your footer component:
```
// In your footer component
<Link href="/privacy">Privacy Policy</Link>
```
Several services generate GDPR-compliant privacy policies (GetTerms, Termly, iubenda) — a generated baseline is better than nothing. Place the page at a predictable route: /privacy or /privacy-policy.

Why it matters

Remediation

Create a privacy policy page at app/privacy/page.tsx listing the analytics tools you use and how users can opt out. Then link it from your footer component:

// components/Footer.tsx
<Link href="/privacy">Privacy Policy</Link>
<Link href="/cookies">Cookie Policy</Link>

Detection

ID: marketing-analytics.privacy-compliance.cookie-declaration
Severity: medium
What to look for: A cookie or privacy policy page should exist and reference the analytics tools in use. Check for:
- A /privacy, /privacy-policy, /cookies, or /cookie-policy route in the project
- Links to these pages in the footer
- If using a CMP (OneTrust, CookieYes), a cookie declaration widget is often auto-generated — look for the CMP embed code
Note: This check cannot verify the legal sufficiency of a privacy policy — only whether one exists and references analytics/tracking.
Pass criteria: At least 1 privacy policy or cookie policy page exists (as a route or static file) AND is linked from the site footer or consent banner. Count the number of footer links to privacy/cookie policy pages.
Fail criteria: 0 privacy policy or cookie policy pages found, or a policy page exists but is linked from 0 footer components or consent banners.
Skip (N/A) when: No analytics is present. Skip for internal tools or developer-only projects with no public users.
Detail on fail: "No /privacy or /privacy-policy route found. A privacy policy disclosing cookie and analytics usage is legally required for sites collecting user data in the EU, UK, and California."
Remediation: Create a privacy policy page at app/privacy/page.tsx (or pages/privacy.tsx) that lists the analytics tools you use, what data they collect, and how users can opt out. Link it from your footer component:
```
// In your footer component
<Link href="/privacy">Privacy Policy</Link>
```
Several services generate GDPR-compliant privacy policies (GetTerms, Termly, iubenda) — a generated baseline is better than nothing. Place the page at a predictable route: /privacy or /privacy-policy.

Cookie/tracking declaration is present in privacy policy or cookie policy

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Cookie/tracking declaration is present in privacy policy or cookie policy

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History