CertScore.ai
Open navigation menu
Privacy guide

Cookie Banner Requirements

Cookie banner requirements are usually discussed in terms of clarity, control, and alignment between what the interface offers and what the site actually does. A banner that appears polished can still create risk if the control options are limited or if trackers run before any visible choice.

What should a cookie banner include?

Cookie banner requirements are usually discussed in terms of clarity, control, and alignment between what the interface offers and what the site actually does. A banner that appears polished can still create risk if the control options are limited or if trackers run before any visible choice.

CertScore.ai approaches this topic as a question of observable website signals. It helps teams surface structured findings and track change over time, but it does not provide legal advice or certification.

Why it matters

Cookie banners are often treated as a visual checkbox even though their actual behavior matters more than their design.

A missing reject option or weak preferences flow can turn a polished banner into an issue worth review.

Teams need to review both the banner surface and the underlying tracker behavior.

Common issues websites have

Accept-focused banners with no obvious reject option or meaningful preferences control.

Cookie disclosures that are vague, buried, or disconnected from the site’s actual trackers and policy pages.

Inconsistent banner behavior across templates, geographies, or page types.

Examples of problems

A banner may say users can manage preferences, but the preference center may be missing or difficult to find.

A site may show a banner on some pages but not on landing pages where marketing scripts still load.

A footer may mention cookies generally while ad-tech and analytics behavior remain underexplained.

How automated scanning supports review

Automated scanning can look for visible banner text, accept or reject buttons, and preference-control language.

It can also compare those visible signals against observed tracker behavior during the same page load.

That combination helps teams decide when the banner experience needs a closer review.

How CertScore.ai helps

CertScore.ai detects cookie banner and consent-control signals using bounded DOM and text heuristics.

It also surfaces common tracker requests so visible consent controls can be compared against observed behavior.

That makes it easier to prioritize which pages or templates deserve the next round of manual review.

Use this guide as a checklist

Read the guide, then run a scan to see whether similar signals appear on a live site.

What the scan may surface here

The scan could flag a visible banner with no reject control, or trackers that appear to load before any consent choice.

Use this guide, scan a website
Sample JSON

Sample finding JSON from scans

Representative payloads showing the structured evidence CertScore.ai can surface for this guide topic.

Cookie banner lacks an obvious reject control

cookie_banner_control_gap

Redacted illustrative example

{
  "example_type": "positive",
  "domain": "example.com",
  "requested_url": "https://example.com/",
  "final_url": "https://example.com/",
  "created_at": "2026-04-29T16:12:19.420Z",
  "scanned_at": "2026-04-29T16:13:02.114Z",
  "finding_id": "cookie_banner_control_gap",
  "finding_label": "Cookie banner lacks an obvious reject control",
  "section": "Cookies & Storage",
  "evidenceConfidence": "good",
  "directVsInferred": "direct_observation",
  "evidence": {
    "counts": {
      "banner_text_snippet_count": 3,
      "accept_button_count": 1,
      "reject_button_count": 0,
      "preference_link_count": 1
    },
    "evidence_snippets": [
      "Cookie banner detected with accept action and preference link.",
      "No visible reject-all control detected in the initial consent surface.",
      "CMP vendor signal: OneTrust"
    ],
    "consent_summary": {
      "banner_present": true,
      "reject_all_present": false,
      "cmp_vendor": "OneTrust",
      "consent_action_observed": "none"
    },
    "vendors": [
      "OneTrust"
    ],
    "request_domains": [
      "cdn.cookielaw.org"
    ],
    "request_samples": [],
    "cookie_samples": [],
    "runtime_anchors": [
      "Consent surface: banner_present=true, reject_all_present=false"
    ]
  },
  "coverage_flags": [],
  "known_limitations": [],
  "selection_reason": "Representative consent-control finding with direct banner evidence.",
  "evidenceVersion": "2.0",
  "scanContext": {
    "domain": "example.com",
    "requestedUrl": "https://example.com/",
    "finalUrl": "https://example.com/",
    "publicWebObservation": true,
    "legalConclusion": false
  },
  "artifacts": {
    "runtimeAnchors": [
      "Consent surface: banner_present=true, reject_all_present=false"
    ],
    "requestSamples": [],
    "cookieOrStorageSamples": [],
    "policyAnchors": [],
    "rawValuesRetained": false
  },
  "classification": {
    "section": "Cookies & Storage",
    "criticality": "review",
    "evidenceConfidence": "good",
    "directVsInferred": "direct_observation",
    "legalStatusDetermined": false
  },
  "coverage": {
    "coverageFlags": [],
    "coverageReliableForTopRanking": true,
    "notDetectedMeans": "not_observed_in_scan_scope",
    "manualReviewNeeded": true
  },
  "topFindingCalibration": {
    "minimumToSurface": [
      "Retained evidence supports the finding under the canonical concern/policy/unified-finding pipeline."
    ],
    "highConfidenceRequires": [
      "Corroborated retained evidence and usable coverage."
    ],
    "criticalOrTopRankingRequires": [
      "Stronger directness, corroboration, affected surface, and review relevance."
    ],
    "demoteOrSuppressWhen": [
      "Evidence is ambiguous, unsupported, blocked, or audit-only."
    ]
  },
  "automationLimits": [
    "Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
    "Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
  ],
  "redaction": {
    "rawIdentifiersRetained": false,
    "storageValueContentsRetained": false,
    "completeQueryStringsRetained": false,
    "requestBodiesRetained": false,
    "renderedPageImagesRetained": false,
    "sourceMarkupRetained": false,
    "userEnteredValuesRetained": false
  },
  "selectionReason": "Representative consent-control finding with direct banner evidence."
}

Third-party cookie or storage observed before consent

third_party_cookie_pre_consent

Illustrative public evidence sample

{
  "finding_id": "third_party_cookie_pre_consent",
  "finding_label": "Third-party cookie or storage observed before consent",
  "category": "Cookies",
  "criticality": "high",
  "evidenceConfidence": "review_signal",
  "directVsInferred": "direct_observation",
  "observed": "Retained runtime evidence showed a third-party cookie or storage artifact observed before CertScore recorded a consent action or a prior consent state associated with that purpose.",
  "evidence": {
    "summary": "Retained runtime evidence showed a third-party cookie or storage artifact observed before CertScore recorded a consent action or a prior consent state associated with that purpose.",
    "examples": [
      {
        "title": "Third-party cookie timing example",
        "lines": [
          "artifact=storage_001",
          "role=finding_supporting_artifact",
          "url=https://example.com/",
          "type=cookie_observed",
          "cookie_name=example_id",
          "value_redacted=true",
          "cookie_domain=.ads.example",
          "cookie_scope=third_party",
          "first_seen_ms=1840",
          "consent_action_observed_before_first_seen=false",
          "prior_consent_state_for_purpose=false",
          "purpose_category=advertising_or_measurement [manual_review_recommended]"
        ]
      }
    ],
    "automationLimits": [
      "Automated storage evidence may not determine purpose, necessity, exemption status, or legal status.",
      "Manual review is needed to confirm cookie purpose, consent state, regional configuration, and remediation quality."
    ]
  },
  "evidenceVersion": "2.0",
  "scanContext": {
    "domain": "example.com",
    "requestedUrl": "https://example.com/",
    "finalUrl": "https://example.com/",
    "publicWebObservation": true,
    "legalConclusion": false
  },
  "artifacts": {
    "runtimeAnchors": [],
    "requestSamples": [],
    "cookieOrStorageSamples": [],
    "policyAnchors": [],
    "rawValuesRetained": false
  },
  "classification": {
    "section": "Review signal",
    "criticality": "high",
    "evidenceConfidence": "review_signal",
    "directVsInferred": "direct_observation",
    "legalStatusDetermined": false
  },
  "coverage": {
    "coverageFlags": [],
    "coverageReliableForTopRanking": true,
    "notDetectedMeans": "not_observed_in_scan_scope",
    "manualReviewNeeded": true
  },
  "topFindingCalibration": {
    "minimumToSurface": [
      "Third-party cookie/storage artifact before consent."
    ],
    "highConfidenceRequires": [
      "Domain/scope/timing plus purpose or vendor classification."
    ],
    "criticalOrTopRankingRequires": [
      "Advertising/identity/sync persistent storage or repeated pages."
    ],
    "demoteOrSuppressWhen": [
      "Request only.",
      "Cookie name only.",
      "Unknown timing.",
      "Blocked scan."
    ]
  },
  "automationLimits": [
    "Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
    "Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
  ],
  "redaction": {
    "rawIdentifiersRetained": false,
    "storageValueContentsRetained": false,
    "completeQueryStringsRetained": false,
    "requestBodiesRetained": false,
    "renderedPageImagesRetained": false,
    "sourceMarkupRetained": false,
    "userEnteredValuesRetained": false
  },
  "selectionReason": "Illustrative public sample selected to show retained evidence, directness, limits, and top-finding calibration.",
  "consentTimeline": {
    "firstRequestMs": null,
    "firstThirdPartyRequestMs": null,
    "firstCookieSeenMs": null,
    "consentActionObservedBeforeFirstSignal": false,
    "consentStateBasis": "observed_scan_scope",
    "manualReviewNeeded": true
  },
  "networkEvidence": {
    "artifactRefs": [],
    "cookieOrStorageArtifacts": [],
    "vendorCategory": "manual_review_recommended",
    "queryStringsRedacted": true,
    "valuesRedacted": true,
    "manualReviewNeeded": true
  }
}

Related guides

Cookie consent lawsPrivacy policy examplesCommon cookie consent issuesCompare plans

Summary for AI assistants

This CertScore.ai guide explains cookie banner requirements as an observable public website signal for review. CertScore.ai scans public website behavior around tracking, cookies, consent, session recording indicators, fingerprinting-related signals, accessibility, and disclosures.

CertScore.ai findings are automated risk signals supported by retained evidence; they are not legal advice, certification, or compliance determinations.