Cookie Compliance Checklist: 25 Points to Full Compliance

Cookie compliance involves technical implementation, legal documentation, and ongoing operational processes. Missing any single element can result in non-compliance, even if everything else is in order. This structured 25-point checklist covers every aspect of cookie compliance under the GDPR, ePrivacy Directive, and major international privacy laws. Use it as both an implementation guide and a regular audit tool.

Cookie Inventory

You cannot manage what you have not measured. A complete, accurate cookie inventory is the foundation of every other compliance activity.

1. All cookies identified and documented

   Every cookie your website sets must be identified, including cookies set by third-party scripts, embedded content, and dynamically loaded resources. Use automated scanning to ensure complete coverage across all pages, not just the homepage. Your inventory should include HTTP cookies, localStorage entries, sessionStorage entries, and any other client-side storage mechanisms used for tracking.

2. Each cookie categorized correctly

   Every cookie must be assigned to the correct compliance category: strictly necessary, functional, analytics/performance, or marketing/advertising. The categorization must be honest — a cookie that tracks users for advertising purposes cannot be categorized as "functional" simply because it also provides some functional benefit. When in doubt, apply the stricter category. DPAs scrutinize categorization closely, and miscategorization is one of the most common findings in enforcement actions.

3. Third-party cookies identified with providers

   For every third-party cookie on your site, document which service sets it, why it is on your site, and what data it collects or shares. Common third-party cookie sources include analytics platforms (Google Analytics, Adobe Analytics), advertising networks (Google Ads, Meta Pixel, LinkedIn Insight Tag), social media widgets, video embeds (YouTube, Vimeo), chat tools (Intercom, Drift), and A/B testing platforms (Optimizely, VWO). Each third-party provider should have a data processing agreement in place.

4. Cookie durations documented

   Record the expiration period for each cookie. Session cookies expire when the browser is closed. Persistent cookies have a defined lifetime that must be documented (e.g., 30 days, 1 year, 2 years). Under GDPR principles of data minimization and storage limitation, cookie durations should be proportionate to their purpose. An analytics cookie that persists for 10 years would be difficult to justify. The CNIL recommends a maximum of 13 months for analytics cookies.

5. Cookie purposes documented in plain language

   Each cookie's purpose must be described in language that a typical website visitor can understand. "This cookie stores a unique identifier to track your browsing activity across our site for website analytics" is clear. "_ga: Used by Google Analytics for distinguishing users" is not sufficient for most users. The purpose description should answer the question: "What does this cookie do, and why should I allow it?"

Consent Mechanism

The consent mechanism is where legal requirements meet technical implementation. Getting this right is the most critical — and most frequently failed — aspect of cookie compliance.

6. Consent obtained BEFORE non-essential cookies are set

   This is the single most important technical requirement. No analytics, advertising, or other non-essential cookies may be set until the user has given affirmative consent. This means third-party scripts must be blocked from loading until consent is received. Simply deleting cookies after the fact is not compliant — the ePrivacy Directive requires consent before storage, not retroactive removal. Test this by visiting your site in an incognito window and checking which cookies are set before interacting with the banner.

7. Scripts blocked until consent is given

   Blocking cookies is not enough — the scripts that set them must be prevented from executing. A script that loads and executes but is prevented from writing a cookie may still collect and transmit data (through pixels, beacons, or API calls). Your consent management must prevent the script itself from loading until the appropriate consent category has been accepted. Common implementation approaches include changing the type attribute of script tags (e.g., from text/javascript to text/plain) and dynamically injecting scripts after consent.

8. Accept and Reject buttons equally prominent

   The option to reject non-essential cookies must be presented with equal prominence to the option to accept them. This means the same visual treatment: same size, same color weight, same layer of the interface. A large green "Accept All" button next to a small gray "Manage Settings" link does not constitute equal prominence. The CNIL, Garante, and multiple other DPAs have issued fines specifically for this issue. Both options should be on the first layer of the cookie banner without requiring additional clicks.

9. Granular category-level consent available

   Users must be able to consent to specific categories of cookies independently. Accepting analytics cookies should not require also accepting advertising cookies. At minimum, provide separate toggles for: strictly necessary (always on, not toggleable), functional, analytics/performance, and marketing/advertising. If you use cookies for multiple distinct purposes within a category, consider providing even more granular options.

10. No pre-ticked checkboxes

    When a user opens the detailed cookie preferences, all optional categories must be unticked by default. Only strictly necessary cookies (which do not require consent) may be pre-enabled. The CJEU confirmed in the Planet49 ruling (Case C-673/17) that pre-ticked checkboxes do not constitute valid consent. This applies regardless of whether the user can untick them — the default state must be opt-out, requiring an affirmative action to opt in.

11. Consent withdrawal as easy as giving consent

    Article 7(3) of the GDPR requires that withdrawing consent must be as easy as giving it. If a user can accept cookies with a single click on a banner, they must be able to withdraw consent with comparable ease. Best practice is a persistent, always-visible link or icon (e.g., in the footer or as a floating button) that opens the cookie preference center where the user can modify or revoke their choices. Requiring the user to clear their browser cookies, navigate to a buried settings page, or contact support does not meet this standard.

12. Consent records stored with timestamps

    You must be able to demonstrate that consent was given. Store a record of each consent action including: timestamp, the consent choices made (which categories were accepted/rejected), the version of the cookie banner and policy in effect at the time, and a unique identifier for the consent (not necessarily linked to a user account for anonymous visitors). Under the GDPR's accountability principle, the burden of proof for consent lies with the controller. If you cannot produce evidence that a specific user consented, their consent is effectively unproven.

Cookie Policy

Your cookie policy is both a legal document and a transparency tool. It must be accurate, complete, and comprehensible.

13. Cookie policy exists and is accessible

    A dedicated cookie policy (or a clear cookie section within your privacy policy) must exist and be easily findable. Best practice is a dedicated page linked from your website footer, your cookie banner, and your main privacy policy. The policy must be accessible without accepting cookies — users should be able to read it before making a consent decision.

14. All cookies listed with names, purposes, types, and durations

    Your cookie policy must include a table or structured list of every cookie your website sets, including: the cookie name, who sets it (first-party or third-party provider), what it does (in plain language), whether it is a session or persistent cookie, and how long it lasts. This is not optional — it is an explicit requirement under the transparency provisions of the GDPR (Articles 12-14) and the informed consent requirement of the ePrivacy Directive.

15. Third-party providers identified

    Your policy must name the third-party services that set cookies on your website. "We use third-party analytics cookies" is not sufficient. "We use Google Analytics (by Google LLC), which sets the following cookies: _ga, _gid, _gat" is. Users have the right to know who is collecting data about them and to make informed decisions about each provider.

16. Instructions for managing cookies included

    Your policy should explain how users can manage their cookie preferences, including: how to access your cookie preference center to change consent choices, how to delete existing cookies through browser settings, and links to the privacy policies of major third-party cookie providers. While browser-level cookie management is the user's responsibility, providing clear instructions demonstrates good faith and supports the principle of user empowerment.

17. Policy dated and regularly updated

    Your cookie policy must include the date it was last updated. Whenever you add new cookies, remove cookies, change third-party providers, or modify cookie purposes, the policy must be updated to reflect the change. An undated policy or one that has not been updated in over a year is a red flag for DPAs. Best practice: integrate your cookie scanning results with your policy, so the policy is updated automatically when new cookies are detected.

Cookie Banner

The cookie banner is the visible interface of your consent management. It must balance legal compliance with usability.

18. Banner displays on first visit before cookies are set

    The cookie banner must appear the first time a user visits your website, before any non-essential cookies are set. The banner should be immediately visible without scrolling, should not be easily dismissed by accidental clicks, and should persist until the user makes an active choice. The banner must not interfere with the user's ability to navigate away from the page or access essential content (though restricting access to content behind a consent requirement may be permissible in some jurisdictions, the safer approach is to allow navigation while the banner is displayed).

19. Banner is accessible (keyboard navigable, screen reader compatible)

    Your cookie banner must itself be accessible. This means: all interactive elements (buttons, toggles, links) must be reachable and operable via keyboard; the banner must be properly announced to screen readers with appropriate ARIA attributes; focus must be managed correctly (focus should move to the banner when it appears and return to the page when it is dismissed); color contrast must meet WCAG 2.1 AA standards (4.5:1 for normal text, 3:1 for large text); and the banner must be usable at different zoom levels and screen sizes. An inaccessible cookie banner is both a legal risk (failing WCAG compliance) and a reputational risk for any organization claiming to care about privacy and inclusion.

20. Banner links to full cookie policy

    The cookie banner must include a link to your full cookie policy, allowing users to read detailed information about each cookie before making their consent decision. The link should be clearly visible and labeled (e.g., "Read our cookie policy" or "Learn more"). The GDPR requires that consent be "informed," which means the information needed to make an informed decision must be accessible at the point of consent.

21. Banner does not use dark patterns

    Dark patterns in cookie banners undermine the validity of consent. Avoid: making the accept button visually dominant (larger, brighter, more prominent) while making the reject option subtle or hidden; using confusing language ("Accept recommended settings" instead of clear options); requiring more clicks to reject than to accept; using color coding that implies rejecting is wrong (red for reject, green for accept); employing "confirm-shaming" language ("No, I don't care about my experience"); and any other design that nudges, manipulates, or tricks users toward acceptance. The EDPB's Guidelines on Dark Patterns (adopted February 2023) provide detailed examples of prohibited practices.

Technical & Ongoing

Cookie compliance is not a project with a completion date. It is a continuous operational process.

22. Google Consent Mode v2 implemented (if using Google services)

    If you use any Google services (Analytics, Ads, Tag Manager), Google Consent Mode v2 is required as of March 2024 for serving ads in the EEA. Consent Mode communicates your users' cookie consent choices to Google's tags, adjusting their behavior based on consent status. Without Consent Mode, Google tags may not function correctly with your consent management platform, leading to either data loss (tags blocked entirely) or compliance violations (tags firing without consent). Implement both the ad_storage and analytics_storage consent parameters, and ensure they default to "denied" until consent is given.

23. Regular cookie scanning scheduled

    Set up automated cookie scans on a recurring schedule. At minimum, scan monthly. Ideally, integrate scanning into your deployment pipeline so that every release is scanned automatically. Configure alerts for new or changed cookies so your team can evaluate and categorize them promptly. A scan that runs but is never reviewed provides no compliance benefit.

24. Process for reviewing new third-party scripts

    Establish a formal process that must be followed before any new third-party script, plugin, or service is added to your website. The process should include: identifying what cookies the script sets, categorizing those cookies, updating the consent management configuration to include them, updating the cookie policy, and verifying that the script is correctly blocked until appropriate consent is given. This process should involve both technical (development) and compliance (legal/privacy) review. The most common cause of cookie compliance failures is new scripts being added to a website without going through a privacy review.

25. Staff trained on cookie compliance

    Everyone involved in your website — developers, marketers, content creators, and managers — should understand the basics of cookie compliance and their role in maintaining it. Developers need to know how to add scripts in a consent-aware manner. Marketers need to understand that adding a new tracking pixel requires a compliance review. Content creators need to know that embedding a YouTube video introduces third-party cookies. Training does not need to be extensive, but it must cover the key principle: no new tracking without review. A single untrained team member adding a marketing script without going through the review process can undo months of compliance work.

Using This Checklist

This checklist is designed to be used in three ways:

• Initial implementation: Work through all 25 points sequentially when setting up cookie compliance for the first time. Do not skip points or leave them for later — partial compliance is still non-compliance.
• Regular audit: Review the checklist quarterly to verify that all points remain satisfied. Pay particular attention to the ongoing items (points 22-25), as these are the most likely to drift over time.
• After changes: Whenever your website undergoes a significant change (new features, new third-party services, redesign, CMS migration), run through the relevant sections of the checklist to verify compliance is maintained.

Cookie compliance is achievable. It requires attention and process, but none of the individual requirements are unreasonably difficult. The organizations that struggle are typically those that treat compliance as a one-time project rather than an ongoing operational concern. Build it into your workflow, assign clear ownership, and use this checklist as your recurring verification tool.