HomeFix guides → Cookie consent — runtime verification (informational)

gdpr

How to fix: Cookie consent — runtime verification (informational)

GDPR Art. 7 ePrivacy Directive

Why this matters

An HTML scan can confirm a consent banner is present on the page, but it cannot verify the banner actually works at runtime — does it block tags before consent? does Reject actually stop them? does it remember the choice? Those questions need a real browser. This row flags the boundary so you don't treat a passing CMP-detected check as full consent compliance.

Background

An HTML-only scanner — webauditfix included — cannot observe what cookies actually fire in a real browser. The detection in gdpr.cookie_consent confirms a CMP script is *loaded*, but not that the CMP is correctly configured to (a) block non-essential tags before consent, (b) honour the user's Reject choice, or (c) re-fire only the categories actually consented-to. All three are common configuration failures and all three are unenforceable from HTML alone. This row exists in your report to make that scope-boundary explicit rather than implied.

References

GDPR Art. 7 (conditions for consent) · ePrivacy Directive · EDPB cookie banner guidance 2023

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
Not an nginx concern — verification is a browser-runtime test.
apache
Same.
cloudflare
Same.
wordpress
Verify your Cookiebot / OneTrust / Iubenda / Complianz / CookieYes / Borlabs configuration by loading the site in an incognito Chrome window with DevTools open: Application → Cookies should show ONLY strictly-necessary cookies before you interact with the banner.
flask
Same browser-side check; the test sits at the rendered page, not at the framework.
express
Same.
rails
Same.

Verify it's working

Run consentaudit.eu against this URL — it loads the page in a real browser, observes pre-consent + post-reject cookie state, and reports findings keyed V1–V7 (the headline ones to watch: V1 cookies fire before consent, V3 cookie fires after rejection).

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →