Cookie & GDPR Module¶
Module ID: cookie_gdpr | Type: Conditional | Profiles: full, security
The Cookie & GDPR module checks for consent management platforms, privacy policy links, cookie policy links, consent-before-tracking behaviour, and data controller information.
What It Checks¶
| Check | What It Looks For |
|---|---|
| Consent management platform | CookieBot, OneTrust, CookieYes, Quantcast, or custom banners |
| Privacy policy link | Link to a privacy policy page |
| Cookie policy link | Link to a specific cookie policy |
| Consent before tracking | Whether analytics/tracking scripts load before consent |
| Data controller info | Contact details for the data controller |
| Cookie banner visibility | Whether the consent banner is present on first load |
| Third-party cookies | Scripts that set third-party cookies |
| Google Analytics consent mode | GA4 consent mode implementation |
Scoring Breakdown¶
| Criterion | Deduction | Condition |
|---|---|---|
| No consent management | -25 | No cookie consent banner or CMP detected |
| No privacy policy link | -20 | No link to privacy policy |
| No cookie policy | -10 | No specific cookie policy page |
| Tracking before consent | -15 | Analytics scripts load without consent check |
| No data controller info | -5 | No contact information for data controller |
| Third-party cookies without consent | -10 | Third-party scripts load unconditionally |
Example Findings¶
P0 CRITICAL: No cookie consent mechanism
The site loads tracking scripts but has no cookie consent banner.
This violates GDPR (EU), PECR (UK), and similar regulations.
Fix: Implement a consent management platform. Options include
CookieBot, CookieYes, or OneTrust.
Effort: Medium
P1 HIGH: Google Analytics loads before consent
The GA4 script tag is present in the initial HTML with no consent
gate. Under GDPR, analytics cookies require explicit opt-in consent.
Fix: Implement GA4 consent mode or defer the script until consent
is granted.
Effort: Medium