All articles
Technical7 min readApril 14, 2025

How to Audit Consent Banners and Policy Links

Cookie consent banners and privacy policy links are among the most commonly misconfigured privacy elements. Learn how to audit them effectively.

Automate this with PrivacyAudit

Run an automated scan and get a compliance checklist tailored to your website.

Start free

Consent banners and privacy policy links are the two most visible privacy controls on any website — and the two most commonly misconfigured. Regulators have issued significant fines for both.

Here's how to audit each one thoroughly.

Auditing your privacy policy link

Step 1: Check visibility. Your privacy policy must be easily findable. Best practice: link in the footer of every page, in your cookie notice, in any sign-up forms, and in any marketing emails.

Step 2: Check the link actually works. Broken privacy policy links are common and are a clear signal to regulators of negligence.

Step 3: Check the policy is current. If your policy still refers to tools you no longer use, or doesn't mention tools you've added, it's out of date. Review and update whenever your data processing changes.

Auditing your cookie consent banner

A compliant consent banner must: appear before any non-essential cookies are set, allow users to accept or decline each category, make declining as easy as accepting, and remember the user's preference.

Step 1: Clear your browser cookies and visit your site in an incognito window. Does the banner appear immediately on first visit, before any scripts have fired?

Step 2: Check that declining is possible. Regulators (particularly CNIL and the ICO) have specifically cracked down on banners where 'Decline' is hard to find or requires more clicks than 'Accept'.

Step 3: Test that consent is respected. After declining, use your browser's developer tools (Application tab) to verify that non-essential cookies haven't been set.

Step 4: Check your analytics. If you're running Google Analytics, verify it's not firing for users who have declined. This often requires Consent Mode v2 configuration.

Common failure patterns

Pre-ticked boxes: consent must be active, not passive. Pre-ticked boxes don't constitute valid consent.

Soft opt-out: a banner that says 'We use cookies' with only an 'OK' button is not compliant — there's no way to decline.

Consent without granularity: bundling analytics and advertising into a single 'Accept' is not compliant if users can't accept one and decline the other.

The automated approach

Manually checking all of the above on multiple pages is time-consuming. PrivacyAudit automates this by scanning your site, identifying all cookies and scripts that fire, and flagging those that appear before consent is registered.

Ready to audit your website?

Free plan available. First scan in under 2 minutes.

Start free audit