What is a cookie banner audit? (2026 checklist)

The cookie banner is the single most-audited compliance surface on a website. It is the first thing a regulator sees, the easiest thing for a complainant to screenshot, and the source of most public GDPR fines. A cookie banner audit is the check that tells you whether yours would pass scrutiny.

This article is the 2026 checklist — what auditors look at, the dark patterns regulators have specifically called out, and the design that consistently passes review across the EU and UK.

What an auditor checks, in order

1. The first impression

• The banner appears before any non-essential script fires. (Verify with a network tab or a scanner.)
• The banner is visible without scrolling on the device the user is on, including narrow mobile viewports.
• The banner does not auto-close. Implied consent (closing the banner, scrolling, continuing to use the site) is not consent.

2. The choices on the first layer

• Accept all and Reject all buttons appear at the same level — same screen, same prominence, comparable visual weight.
• A third option for granular settings (Manage preferences) is visible but not the only alternative to Accept.
• No pre-checked categories. All non-essential categories default to off until the user explicitly toggles them on.

3. The granular layer

• At minimum: strictly necessary, functional, analytics/statistics, advertising/marketing. Many regulators expect finer categories — e.g., separate toggles for personalisation and social media.
• Each category has a plain-language description of what it does and which vendors are involved.
• No legitimate-interest toggle for advertising. The IAB’s TCF v2.0 originally allowed it; the Belgian DPA found that pattern unlawful in 2022.
• A Save preferences button that respects partial choices.

4. Withdrawal

• A persistent “Cookie settings” link, ideally in the footer, opens the same banner so the user can change their choice.
• Withdrawal is as easy as the original consent — one click, same modal.

5. Behavioural verification

The auditor reloads the page after each consent path:

• Accept all — every script fires; cookies match the cookie policy.
• Reject all — only strictly-necessary cookies; no analytics, no advertising, no third-party widgets that set cookies.
• Granular partial — only the categories the user toggled on fire.

Most banners pass on Accept and fail on Reject. A common failure: a Google Tag Manager container that loads regardless of consent, with individual tags loaded inside it that also fire regardless. The fix is to gate the entire GTM container behind consent or to move the consent check into every tag.

The dark patterns regulators have specifically called out

The EDPB Cookie Banner Task Force published a final report in January 2023 that standardised what regulators across the EU consider non-compliant. The list:

• No Reject button on the first layer.
• Pre-ticked boxes.
• Deceptive button colour or design (greyed-out Reject, accept styled as a green “safe” button vs. red Reject).
• Misleading language — “Accept and visit” vs. “Reject,” or “by clicking, you accept.”
• Categories described in legal jargon that an average user cannot understand.
• Legitimate-interest justification for advertising.
• Cookie wall (you must accept to view content) on services where alternatives are not available.
• Re-prompting the user on every page load after they have rejected.

What good looks like

A banner that consistently passes audits has the following structure:

1. Plain-language summary: “We use cookies to make this site work and, with your permission, to understand how it’s used and improve it.”
2. Three buttons of equal visual weight: Accept all, Reject all, Manage preferences.
3. Manage preferences opens a modal with toggles for each non-essential category, defaulting to off, with vendor lists and purpose descriptions.
4. A Save preferences button alongside the same three top-level choices.
5. A persistent footer link labelled “Cookie settings” that re-opens the modal.
6. An accessible cookie policy page that lists every cookie — name, purpose, duration, first/third party — and is regenerated when the inventory changes.

How Veracly audits banners

Veracly visits your site as a fresh user, captures every network call before consent, re-runs after Accept, Reject, and a granular partial choice, and reports any cookie or third-party request that does not match the chosen state. Each issue maps to the specific regulator guidance — CNIL, ICO, EDPB — and the developer fix. Run a scan to audit your current banner.

See also: What is a GDPR cookie audit? · Tracking pixel audit: GDPR & ePrivacy