Kuality

GDPR & CCPA Cookie Compliance: What Your Consent Banner Isn't Catching

Profile
Yves Soete Follow

Apr 19, 2026 · 7 min read

You installed a consent banner. The CMP pops up when users visit. You checked the GDPR box. But here is the problem: most consent management platforms only manage what happens after consent is given. They do not prevent cookies from loading before the user has accepted anything.

That gap is where regulators are actually issuing fines. The French CNIL, the Irish DPC, and the Belgian APD have all issued enforcement actions specifically against pre-consent cookie loading — not against sites that lacked a banner entirely.

The pre-consent problem

GDPR Article 7 requires that consent be given before processing. For non-essential cookies — analytics, advertising, social media pixels, A/B testing tools — that means the JavaScript that sets the cookie must not execute until the user has actively clicked "Accept."

The most common failure pattern looks like this:

  1. Page loads.
  2. Google Tag Manager fires immediately.
  3. GTM loads GA4, Facebook Pixel, Hotjar, and an A/B testing script.
  4. All four set cookies before the consent banner has finished rendering.
  5. The banner appears. User clicks "Accept."
  6. CMP records consent — for cookies already set 400ms ago.

The consent record is legally meaningless because processing preceded it.

What CCPA adds

CCPA (and its amendment CPRA) takes a different approach: it is opt-out by default for sale/sharing of personal information, not opt-in. But the practical implication for cookies is similar — if your cookies are used for targeted advertising and you have California users, you need a "Do Not Sell or Share My Personal Information" mechanism, and that mechanism must actually stop the third-party scripts from firing when triggered.

Many sites have the "Do Not Sell" link but it only toggles a CMP preference flag. If the advertising pixels still load on every page regardless of that flag, the CCPA opt-out is cosmetic.

The four failure modes automated scanners can catch

1. Pre-consent cookie loading

A scanner that loads your page in a browser without accepting the consent banner and then inspects document.cookie and storage APIs can identify any cookies or localStorage entries set before consent. These are your compliance risk.

2. Missing HttpOnly and Secure flags

Session cookies and authentication tokens must use HttpOnly to prevent JavaScript access (XSS protection) and Secure to prevent transmission over HTTP. Missing these is not a GDPR violation per se, but it is a security failure that can lead to data exposure — which triggers breach notification requirements under Article 33.

3. Missing SameSite attribute

Cookies without an explicit SameSite attribute default to Lax in modern browsers, but explicit declaration is still best practice. Cookies involved in cross-site requests that lack SameSite=None; Secure may behave inconsistently across browsers and be rejected in third-party contexts.

4. Third-party scripts loading before consent

Beyond cookies themselves, the scripts that set them — Google Analytics, Meta Pixel, Intercom, Hotjar — should only execute post-consent. A scanner can track which third-party domains make network requests during the pre-consent page load. Any tracking domain that appears in that list is a compliance gap regardless of whether it successfully sets a cookie.

What automated scanners cannot catch

Some things require manual review:

  • Consent record integrity. Does your CMP actually store a verifiable, timestamped record of consent for each user? Regulators have required production of these records during audits.
  • Purpose limitation. Are cookies disclosed in your cookie policy actually used only for the purposes stated? A scanner sees the cookie. It cannot tell you whether the data flows from GA4 to a data broker.
  • Data subject request handling. GDPR Article 17 (right to erasure) and CCPA require a mechanism to delete user data on request. Scanners cannot verify that deletion actually propagates to all downstream processors.
  • Legitimate interest assessments. If you rely on legitimate interest as a lawful basis (GDPR Article 6(1)(f)), you need a documented balancing test. That is a legal document, not a technical artifact.

A practical compliance checklist

Start with the automated checks — they catch the most common violations quickly. Then layer in the manual review items.

  1. Run an automated cookie scanner with consent-banner bypass (pre-consent state).
  2. List every cookie and localStorage entry present before consent.
  3. Classify each: essential (session, CSRF) vs. non-essential (analytics, ads).
  4. Block non-essential scripts from loading until consent is given (GTM consent mode or direct script-blocking).
  5. Verify HttpOnly and Secure flags on all session and auth cookies.
  6. Add SameSite=Lax to all first-party cookies; SameSite=None; Secure for cross-site cookies.
  7. Update your cookie policy to accurately reflect all cookies, their purpose, and retention period.
  8. Test the "Do Not Sell" / opt-out flow if you have US users: verify scripts actually stop firing.
  9. Confirm your CMP is storing timestamped consent records retrievable by user ID.
  10. Schedule monthly automated rescans — new marketing tags appear without engineering review.

The enforcement landscape in 2026

GDPR enforcement has become more targeted. The CNIL issued a €150,000 fine to a mid-size e-commerce site in 2025 specifically for pre-consent analytics cookies — not for lack of a banner, but for the gap between banner appearance and script blocking. The Irish DPC has issued guidance explicitly stating that consent banners that display while tracking scripts run in parallel do not satisfy Article 7.

On the US side, CPRA enforcement began in 2024 and California's AG office has been issuing cure letters at scale. The opt-out mechanism must function — having the link is not enough.

Scanning with Kuality

Kuality's cookie compliance scanner loads your site in a real browser before accepting the consent banner and captures every cookie, localStorage entry, and third-party network request. It flags pre-consent cookies, missing security flags, and third-party tracking domains that fire before user action.

Schedule a weekly scan and you get notified the moment a new marketing tag appears on your site — before legal notices you first.

Run your free cookie compliance scan →
Version 1.0.65