Skip to main content

Most Cookie Consent Banners Don’t Check for Compliance

By Jason Grigsby

Published on April 16th, 2026

Topics

As I’ve had more opportunities to work with cookie consent managers, I’ve come to the surprising realization that most of them (all of them?) fail to track if websites are in compliance with various privacy laws.

One client we’ve been working with pays a lot of money for an enterprise-level cookie consent solution. Their cookie process is similar to what I’ve seen for other consent managers:

  • The consent manager runs a scan across the client’s website to identify any cookies or other trackers.
  • The consent manager may provide a suggested category for any trackers that it recognizes.
  • The client has to verify that the suggested categorization is correct and categorize any cookies that the consent manager didn’t recognize.
  • There may be some additional work to make sure these categorizations are replicated in tag managers.
  • Once the categorization is complete, then the cookies should only be set when users provide the appropriate consent.
  • Periodically, the consent manager will scan the site to look for any new cookies or trackers. If any are found, this process is repeated.

The realization I’ve had is that the subsequent scans aren’t checking to verify that the cookies are being set correctly or not. Their primary purpose is to look for new cookies. That’s valuable, but it doesn’t ensure compliance.

Our client needed to be certain that non-required cookies weren’t getting set before consent was granted. I created a script that checks what trackers are set before and after consent. But in order to get this information from their enterprise solution, they had to request a special scan.

Even after requesting the special scan, our client only knew what had been set before consent. Not whether cookies were getting set correctly based on the categories users have consented to.

I wonder how many organizations think they’re in clear when it comes to CCPA or GPDR because they’ve implemented a cookie consent solution, but don’t realize that their solutions are never checking to make sure they are truly in compliance.

Jason Grigsby is one of the co-founders of Cloud Four, Mobile Portland and Responsive Field Day. He is the author of Progressive Web Apps from A Book Apart. Follow him at @grigs.

Leave a Comment

Please be kind, courteous and constructive. You may use simple HTML or Markdown in your comments. All fields are required.