What makes cookie consent valid under GDPR and ePrivacy?

Consent must be freely given, specific, informed, and unambiguous, given by a clear affirmative action. In practice that means non-essential cookies are blocked until the user opts in, pre-ticked boxes are forbidden, rejecting must be as easy as accepting, the purposes are explained, and the user can withdraw consent as easily as they gave it.

Do I need a Reject All button?

Effectively yes. Regulators including the ICO and the CNIL have made clear that if accepting all cookies is one click, rejecting all must also be one click at the same level. A banner that offers Accept All prominently but hides rejection behind extra layers is treated as invalid consent.

Are pre-ticked boxes ever allowed?

No. The Court of Justice of the EU confirmed in the Planet49 case that pre-ticked checkboxes do not constitute valid consent, because consent requires an active choice. Any toggle for non-essential cookies must default to off, and silence or continued browsing is not consent.

Which cookies can I set without consent?

Only cookies that are strictly necessary to provide a service the user explicitly requested — such as session, security, and load-balancing cookies, or remembering basket contents. Analytics, advertising, and most personalisation cookies are not strictly necessary and require prior opt-in consent.

Is this checker a substitute for a legal audit?

No. It is a structured self-assessment reflecting the public positions of GDPR Article 7, the ePrivacy Directive, and ICO guidance. National regulators differ in emphasis and enforcement, so a high score here should be confirmed by a privacy specialist and, where relevant, a consent-management-platform audit.

Cookie Consent Compliance Checker

Cookie consent is governed by the ePrivacy Directive for the act of storing or reading cookies, and by the GDPR for what valid consent looks like. Regulators have converged on a clear set of expectations, and most enforcement targets the same handful of banner design failures. This checker scores your implementation against those expectations.

How it works

Each requirement is answered Yes, No, or Partial, and weighted by how heavily regulators enforce it:

score (0–100) = Σ(answerValue × weight) / Σ(weight) × 100
answerValue:  Yes = 1, Partial = 0.5, No = 0

The heaviest weights sit on the failures regulators act on most: setting non- essential cookies before consent, pre-ticked boxes, and rejecting being harder than accepting. Failed and partial items are listed so remediation targets the biggest compliance risks first.

Notes and tips

The single most common breach is firing analytics or advertising tags on page load, before any consent — block all non-essential cookies until the user opts in. Make Reject All a one-click action at the same visual level as Accept All; an unequal banner is treated as no consent at all. Keep a timestamped record of each consent so you can demonstrate it under GDPR Article 7. This is a self-assessment aid, not a legal audit — confirm a high score with a privacy specialist.