How do I know if my cookie policy is GDPR compliant?

A GDPR-compliant cookie policy describes the consent mechanism, lists cookie categories, names third parties, explains how to withdraw consent, and is paired with a banner that meets the Art. 7 standard (freely given, specific, informed, unambiguous, easy to withdraw). Our checker walks your policy through these requirements item by item.

Is GDPR the same as ePrivacy for cookies?

No — ePrivacy Directive 2002/58/EC governs the storage of cookies; GDPR governs the personal data collected via cookies. They work together: ePrivacy says you need consent for non-essential cookies; GDPR defines what consent looks like. Both must be satisfied.

What happens if my cookie policy is non-compliant?

Enforcement varies by country. CNIL (France) has been the most active, fining Google €150m and Meta €60m for cookie violations. ICO (UK) issues warnings before fines. For an SMB the practical risk is a complaint-driven warning letter, but pattern matters: visible dark patterns attract enforcement faster than missing disclosures.

Home / Free audit / Is My Cookie Policy GDPR Compliant?

Is My Cookie Policy GDPR Compliant?

Paste your policy. We check it against GDPR consent rules, ePrivacy, and EDPB guidance.

Check GDPR compliance → Free · No signup · ~20 seconds

Covers ePrivacy + GDPR consent + EDPB / ICO guidance together
Distinguishes blockers from polish — what attracts ICO action vs. best practice
Maps each finding to the specific rule it cites

GDPR does not itself govern cookies — the ePrivacy Directive does. But ePrivacy points to GDPR for the definition of "consent", which is where most enforcement comes from. The EDPB has tightened consent guidance progressively since 2019 (Opinion 5/2019, Guidelines 05/2020) and ICO has issued specific dark-pattern guidance since 2023. Our checker walks your policy through all three: the ePrivacy consent requirement, GDPR Art. 7 standards, and current EDPB / ICO interpretive guidance. The output is a compliance score plus the specific items you are missing.

What we check

Grounded in real law, not training-data recall.

ePrivacy consent requirement

Storing or accessing information on a user's device requires consent for non-essential purposes. Strictly-necessary cookies are exempt; analytics and marketing are not.

GDPR Art. 7 standard

Consent must be freely given, specific, informed, unambiguous, and as easy to withdraw as to give. Pre-ticked boxes do not count.

EDPB / ICO dark-pattern guidance

Equal-prominence Accept vs. Reject buttons, no "Accept All" without an equally accessible reject, no nag walls that force consent.

Specific cookie disclosure

EDPB Guidelines 05/2020 require disclosure of specific cookies, their duration, and third-party recipients. Generic categories alone fall short.

Withdrawal mechanism

Whether the user can re-open consent preferences as easily as they gave consent. A persistent re-open link / icon is the de-facto standard.

Common findings

What you'll probably see in the report.

Pre-ticked boxes for analytics consent

Direct GDPR violation (Planet49 ruling, CJEU C-673/17). Most common critical for EU-focused cookie audits.
"Accept All" without "Reject All"

Per EDPB Guidelines 05/2020, the reject option must be equally accessible. CNIL has fined for missing this.
No persistent re-open mechanism

Once consent is given, the user must be able to withdraw as easily. A "cookie settings" link in the footer or a floating shield icon is standard.

Ready to find the gaps in your cookie policy?

Paste a URL or your cookie policy text. Get a structured gap report plus a 0–100 compliance score in around 20 seconds. Free, no signup, no email.

Check GDPR compliance → See example audits

FAQ

Questions people ask before running the audit.

Other ways people audit their policies.

Cookie Policy Checker Rate My Cookie Policy Cookie Policy Review Free Cookie Policy Audit

Run your audit now.

Free, structured, calibrated for SMBs. Paste your URL or text and get the report in seconds.

Check GDPR compliance →