Analytics opt-out mechanism exists

Why it matters

GDPR Art. 7(3) and CCPA §1798.120 both grant users the right to withdraw consent as easily as they granted it. A consent banner that can only accept — with no mechanism to subsequently revoke — fails this requirement. In practice this means users who later change their mind have no path to opt out short of clearing their browser storage, which most won't do. DPA enforcement has specifically targeted "roach motel" consent implementations where acceptance is one click but withdrawal requires contacting support.

Remediation

Add a "Cookie preferences" button in your footer that clears the consent flag and re-shows the banner on reload:

// components/Footer.tsx
<button
  onClick={() => {
    localStorage.removeItem('analytics_consent')
    window.location.reload()
  }}
>
  Cookie preferences
</button>

If you use a CMP (CookieYes, OneTrust), the CMP widget handles this automatically — ensure the re-open trigger is actually linked from the footer. For GA4, also set the GA opt-out cookie on decline: window['ga-disable-G-XXXXXXXXXX'] = true.

Detection

ID: marketing-analytics.privacy-compliance.opt-out-mechanism
Severity: medium
What to look for: Users must be able to withdraw consent after granting it. Check for:
- A settings or preferences page with analytics toggle (/settings, /account/preferences)
- The consent banner itself having a way to change preferences (a "Manage cookies" link that re-opens the banner)
- A link in the privacy policy or footer to withdraw consent
- window[ga-disable-${GA_MEASUREMENT_ID}] = true pattern (GA4 opt-out cookie)
Pass criteria: Users have at least 1 mechanism to opt out of analytics after initial consent: a settings toggle, a re-openable consent banner, or a documented opt-out procedure linked from the privacy policy. Count the number of opt-out mechanisms found.
Fail criteria: Consent can only be granted (via the initial banner) with 0 mechanisms to subsequently withdraw it.
Skip (N/A) when: No consent banner is required (cookie-free analytics). Skip for projects using only Plausible, Fathom, or Vercel Analytics.
Detail on fail: "Consent banner allows accepting analytics but no mechanism exists to subsequently withdraw consent. Users cannot change their analytics preferences after initial choice."
Remediation: Add a "Manage cookie preferences" link in your footer that re-opens the consent banner or navigates to a preferences page:
```
// Footer component
<button onClick={() => {
  localStorage.removeItem('analytics_consent')
  window.location.reload() // Re-shows the consent banner
}}>
  Cookie preferences
</button>
```
Alternatively, a link to /privacy-policy#manage-cookies with instructions for opting out (clearing cookies, using browser settings) satisfies the requirement in many jurisdictions.

Why it matters

Remediation

Add a "Cookie preferences" button in your footer that clears the consent flag and re-shows the banner on reload:

// components/Footer.tsx
<button
  onClick={() => {
    localStorage.removeItem('analytics_consent')
    window.location.reload()
  }}
>
  Cookie preferences
</button>

Detection

ID: marketing-analytics.privacy-compliance.opt-out-mechanism
Severity: medium
What to look for: Users must be able to withdraw consent after granting it. Check for:
- A settings or preferences page with analytics toggle (/settings, /account/preferences)
- The consent banner itself having a way to change preferences (a "Manage cookies" link that re-opens the banner)
- A link in the privacy policy or footer to withdraw consent
- window[ga-disable-${GA_MEASUREMENT_ID}] = true pattern (GA4 opt-out cookie)
Pass criteria: Users have at least 1 mechanism to opt out of analytics after initial consent: a settings toggle, a re-openable consent banner, or a documented opt-out procedure linked from the privacy policy. Count the number of opt-out mechanisms found.
Fail criteria: Consent can only be granted (via the initial banner) with 0 mechanisms to subsequently withdraw it.
Skip (N/A) when: No consent banner is required (cookie-free analytics). Skip for projects using only Plausible, Fathom, or Vercel Analytics.
Detail on fail: "Consent banner allows accepting analytics but no mechanism exists to subsequently withdraw consent. Users cannot change their analytics preferences after initial choice."
Remediation: Add a "Manage cookie preferences" link in your footer that re-opens the consent banner or navigates to a preferences page:
```
// Footer component
<button onClick={() => {
  localStorage.removeItem('analytics_consent')
  window.location.reload() // Re-shows the consent banner
}}>
  Cookie preferences
</button>
```
Alternatively, a link to /privacy-policy#manage-cookies with instructions for opting out (clearing cookies, using browser settings) satisfies the requirement in many jurisdictions.

Analytics opt-out mechanism exists

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Analytics opt-out mechanism exists

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History