How to Audit Your Cookie Consent Banner: The Independent 14-Point Checklist for 2026

In September 2025, the CNIL fined Google €325 million and Shein €150 million on the same day — both for cookie consent banner violations. France's data protection authority issued €486.8 million in fines that year alone, with cookies and tracking violations leading the list. In January 2026, two more telecom fines followed: €27M against Free Mobile, €15M against Free.

If you're running a B2B e-shop in the EU and your last cookie audit was "the CMP installed the banner, we ticked the box" — you have an exposure problem. The CMP that set up your banner is also the only thing checking it. That's not an audit; that's marking your own homework.

This is the 14-point independent audit. Run it quarterly and before any deploy that touches third-party scripts.

Why CMPs Cannot Audit Themselves

Most cookie consent guides today are published by the same vendors who sell the banner: Cookiebot, CookieYes, OneTrust, Iubenda, Termly. That structural conflict is why their audit checklists stop at the surface — "make sure 'Reject All' is visible" — and never touch what actually triggers regulatory fines.

The CNIL's 2025 enforcement actions against Google and Shein cited specifically: "advertising cookies placed before the user made any choice, cookies placed despite an explicit refusal, and cookies continuing to be read after the user withdrew consent." None of those fail at the banner UI layer — they fail at the JavaScript-execution layer. Your CMP would have to test against itself to find them.

Independent scanning catches what self-checks miss.

Step 1 — Audit Pre-Consent Behavior (The Highest-Risk Layer)

This is the single most-cited violation in EU enforcement. Under ePrivacy Article 5(3), no non-essential cookies, pixels, or trackers may fire before explicit consent — yet the EDPB Cookie Banner Taskforce report (January 2023) flagged inadequate categorization of non-essential cookies as "strictly necessary" as one of the most common infringements identified by EU regulators.

To audit this:

1. Clear browser cookies and localStorage completely.
2. Open the page in an incognito window with DevTools open on the Network and Application tabs.
3. Without interacting with the banner, list every cookie set, every script loaded, every tracker fired.
4. Cross-check each one against the "strictly necessary" definition — auth session, language preference, basket. Anything Google Analytics, Facebook Pixel, ad-tech, or fingerprinting library is a violation.

The trap: many CMPs claim to "block scripts before consent" but only block their own declared scripts. Anything injected by Tag Manager, hardcoded in the theme, or loaded by a Shopify, Shopware, or WooCommerce plugin escapes the CMP entirely. If you didn't run the scan yourself with the CMP active, you don't know what fires.

If anything non-essential loads before consent, nothing else on this checklist matters yet.

Step 2 — Audit the Banner UI for Dark Patterns

The EDPB's January 2023 taskforce report — adopted after privacy NGO NOYB filed 700+ complaints — set what it called "a minimum threshold" for cookie banner compliance. The CNIL has since enforced that threshold against Google, Shein, American Express, and others.

Check each of these on your live site:

• "Reject All" visible on the first layer. Hidden behind "Settings" is a dark pattern.
• Accept and Reject buttons visually equivalent. Same color, same size, same prominence. Greyed-out reject is a dark pattern.
• No pre-ticked checkboxes for non-essential purposes — including on the second layer.
• No nudging language. "Recommended" badges next to "Accept All", scary copy on "Reject" — both flagged in EDPB guidance.
• Plain language for each purpose. "Marketing" beats "Improve our services."

If the easy path is "Accept All" and the hard path is anything else, the consent is not freely given.

Step 3 — Audit Granular Consent and Withdrawal

GDPR Article 7(3) requires that withdrawing consent be as easy as giving it. The taskforce report identified withdrawal failures as a recurring infringement of the e-Privacy Directive.

Your audit needs to confirm:

• Users can accept some categories and reject others — not all-or-nothing.
• A persistent "Cookie Settings" link exists in the footer (or equivalent) on every page.
• Re-opening Cookie Settings shows the user's current choices, not a fresh "Accept All" state.
• Withdrawing consent actually removes the cookies and stops the trackers — not just updates the banner state. This is where Shein's €150M fine came from: opt-out mechanisms that did not function.

"It looks like consent" is not the same as "consent works."

Step 4 — Audit Your Consent Records

GDPR Article 7(1) requires that the controller be able to demonstrate that the data subject consented. In a regulator inquiry, "we have a CMP" is not evidence — you need per-user consent logs.

Your audit should verify:

• Every consent event is logged with timestamp, IP, user-agent, banner version, and the exact purposes accepted or rejected.
• Logs are retrievable on demand — not stuck inside a CMP's interface that requires their support team to export.
• Logs survive at least the limitation period for the relevant national DPA (typically three years; some jurisdictions longer).
• You can produce a timestamped audit trail showing what cookies fired before vs. after consent — the kind of evidence the CNIL asked for in the Google case.

If you cannot produce per-user consent records during a complaint, you have no consent.

Step 5 — Re-Audit on a Schedule

One audit is not compliance. Third-party scripts change without warning — a Shopify app update, a new marketing pixel from your team, a tag manager push from an agency. Each of those can flip a previously-clean site into violation.

Set:

• Quarterly full audits — repeat all four steps above, on production.
• Pre-deploy spot checks — run the pre-consent scan after any release that touches scripts, plugins, or analytics.
• Post-incident audits — a fresh scan within 24 hours of any DPA inquiry, NOYB complaint, or news story about a competitor being fined.

Compliance decays the moment you stop measuring it.

Get a Timestamped Audit PDF in Two Minutes

Manual audits work but they do not scale, and they do not produce the kind of legal evidence regulators want. CookieSentry is an independent scanner — not a CMP — that runs all four steps above against any URL and produces a timestamped compliance audit PDF. It catches what your CMP cannot, because it tests your site as a real visitor would, with the CMP active. Run it once and you will know exactly where you stand under GDPR and ePrivacy.

FAQ

How often should I audit my cookie consent banner?

Quarterly at minimum, plus after any release that changes third-party scripts, plugins, or tag manager configurations. Most violations come from a script that was added between audits.

Can my CMP run the audit for me?

Only partially. CMPs check that their own banner is correctly configured. They cannot test what runs alongside or above them — and that is where most enforcement actions originate.

Is a cookie audit the same as a GDPR audit?

No. A cookie audit covers one specific area — ePrivacy compliance and one of GDPR's lawful basis requirements. A full GDPR audit covers data processing across your entire organization.

What happens if my audit finds a violation?

Fix it before publishing the audit. Then keep the audit log — it is evidence of due diligence, which is a mitigating factor in any future DPA enforcement.

Do I need an audit if my site only uses essential cookies?

You still need to verify that claim. The "strictly necessary" exception is narrowly interpreted by EU regulators, and several enforcement cases hinged on cookies that the controller assumed were essential but were not.

Will a cookie audit hold up if a DPA opens an investigation?

A timestamped audit run by a tool independent of your CMP carries more weight than a self-report. Regulators look for evidence of independent verification, not just CMP-vendor declarations.