Cookie consent banner

What this check does

Scans the rendered page for both (a) non-essential third-party trackers — Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, fbq, gtag — and (b) a cookie consent banner from Cookiebot, OneTrust, Iubenda, Osano, Termly, Klaro, Borlabs, Cookieyes, or a custom dialog. The check fails when trackers are present but no banner is found.

Why it matters

Under EU and UK law, non-essential cookies and similar tracking technologies need prior, freely given, specific, informed, unambiguous consent before they fire. “Continued use implies consent” doesn’t count, and neither do pre-ticked checkboxes.

• GDPR fines. Up to 4% of global annual revenue. Regulators (CNIL in France, AEPD in Spain, Garante in Italy) have repeatedly fined sites for firing Google Analytics or Meta Pixel before consent.
• Class-action exposure. US state laws (CCPA/CPRA, Colorado CPA, Virginia VCDPA) and the EU’s Digital Services Act add separate private right-of-action paths.
• Conversions. Without a Consent Mode v2 setup, Google Ads and Analytics drop unconsented events instead of modeling them — your reporting and ad audiences degrade silently.

How to fix it

Pick a banner that supports IAB TCF v2.2 + Google Consent Mode v2 (the combo Google requires from March 2024 for EEA users):

• Cookiebot — paid, comprehensive, scans your site weekly to keep the cookie list up to date.
• OneTrust — enterprise; the default if you already use OneTrust for privacy management.
• Iubenda — affordable, multilingual, good for SMBs.
• Klaro — open-source, self-hosted.

Cookiebot example — drop this in <head> before every other tracking script:

<script id="Cookiebot"
  src="https://consent.cookiebot.com/uc.js"
  data-cbid="YOUR-CBID"
  data-blockingmode="auto"
  type="text/javascript"></script>

Set every tracker (GA4, gtag, Meta Pixel, etc.) to type="text/plain" with data-cookieconsent="statistics" (or "marketing") — Cookiebot rewrites them to text/javascript only after consent.

Google Consent Mode v2 — initialize gtag('consent', 'default', { ... }) with everything denied before loading GA, then update to granted from the banner’s callback. Otherwise GA drops 100% of EEA events instead of using consent modeling.

Audit what you’re firing. Open DevTools → Application → Cookies in an incognito window and load the page without clicking the banner. If you see _ga, _fbp, _hjSessionUser_*, or anything from a tracker domain, you’re firing before consent — that’s the violation.

Frequently asked questions

Do I need a banner if I only use Google Analytics?

Yes — in the EEA, UK, and Switzerland, GA is classified as non-essential by every supervisory authority that has ruled on it. The same applies if you only run a Meta Pixel or a third-party A/B-test tool.

What about cookieless analytics like Plausible or Fathom?

If the tool stores no cookies, fingerprints no devices, and doesn’t transmit personal data, you can argue it’s essential and skip the banner. Plausible and Fathom market themselves as “GDPR-friendly without a banner” on this basis; check their current attestation before relying on it.

My audit failed but I have a banner — what gives?

Either the banner script loads after a tracker fires (the trackers run before the consent decision lands), the banner only appears in certain regions and MetricSpot is auditing from outside that region, or the detection signature doesn’t match the vendor you’re using. Confirm by opening DevTools and watching the request order on first load.