Cookie Consent Compliance Checker

Check your cookie banner against GDPR, ePrivacy, and ICO guidance

Answer a questionnaire about your consent banner — pre-ticked boxes, equal reject option, withdrawal mechanism, prior blocking of non-essential cookies, and consent logging — and get a weighted compliance score against GDPR Article 7, the ePrivacy Directive, and ICO guidance. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What makes cookie consent valid under GDPR and ePrivacy?

Consent must be freely given, specific, informed, and unambiguous, given by a clear affirmative action. In practice that means non-essential cookies are blocked until the user opts in, pre-ticked boxes are forbidden, rejecting must be as easy as accepting, the purposes are explained, and the user can withdraw consent as easily as they gave it.

Cookie consent is governed by the ePrivacy Directive for the act of storing or reading cookies, and by the GDPR for what valid consent looks like. Regulators have converged on a clear set of expectations, and most enforcement targets the same handful of banner design failures. This checker scores your implementation against those expectations.

How it works

Each requirement is answered Yes, No, or Partial, and weighted by how heavily regulators enforce it:

score (0–100) = Σ(answerValue × weight) / Σ(weight) × 100
answerValue:  Yes = 1, Partial = 0.5, No = 0

The heaviest weights sit on the failures regulators act on most: setting non- essential cookies before consent, pre-ticked boxes, and rejecting being harder than accepting. Failed and partial items are listed so remediation targets the biggest compliance risks first.

What regulators most commonly enforce

Cookie consent enforcement across the EU and UK has concentrated on a repeating set of patterns. Understanding what regulators actually look for helps you prioritise fixes beyond a raw score.

Firing tags before consent is the most frequently cited breach. Analytic or advertising pixels that run on page load — even if the banner appears — violate the ePrivacy Directive’s prior-consent requirement. Block all non-strictly-necessary cookies in your tag manager until a positive opt-in is recorded.

Asymmetric accept/reject design is the second major target. The Planet49 judgment (CJEU, 2019) confirmed that consent must be an active, specific act. Regulators including the ICO and the CNIL have since made clear that a “Reject All” option must be as prominent and accessible as “Accept All” — typically requiring it on the first banner layer rather than buried in settings. Fines have been issued specifically for requiring extra clicks to reject.

Pre-ticked boxes have been unlawful since Planet49 but remain common in preference-centre designs. Every non-essential toggle must default to off.

No withdrawal mechanism fails the GDPR’s requirement that withdrawal of consent be as easy as giving it. A persistent “Cookie Settings” link in the footer satisfies this; hiding it behind several navigation layers does not.

Missing consent logs are an enforcement risk even when the banner itself is compliant. GDPR Article 7 requires you to demonstrate consent. A timestamped record of what the user agreed to, and when, is essential.

Common scoring patterns

Most sites fall into one of three bands:

  • 0–40: Tags firing before consent or no reject option — the two failures with the highest enforcement weight. Fix these first.
  • 41–70: Banner exists, reject is possible, but logs are missing or withdrawal is difficult. Lower enforcement risk but still non-compliant.
  • 71–100: Core requirements met. Remaining gaps are usually in documentation and withdrawal convenience rather than banner behaviour.

Notes and tips

The single most common breach is firing analytics or advertising tags on page load, before any consent — block all non-essential cookies until the user opts in. Make Reject All a one-click action at the same visual level as Accept All; an unequal banner is treated as no consent at all. Keep a timestamped record of each consent so you can demonstrate it under GDPR Article 7. This is a self-assessment aid, not a legal audit — confirm a high score with a privacy specialist.