Skip to contentSkip to content
Cookie banner and consent dashboard on screen
Web Compliance5 min readFor privacy, web & marketing teams

Cookie Compliance: 5 Evidence Gaps Auditors Keep Finding

CMP logs, consent scope, dark patterns, and what “proof” looks like in practice across EU/UK guidance — so you can survive cookie audits without rebuilding your whole site.

Key points for cookie compliance
  • Regulators increasingly ask to see evidence, not just policies or a banner.
  • Most gaps come from mismatches between consent, tags and vendor behaviour.
  • Good cookie compliance is mainly about logs, scope and process, not perfection.
  • A 3–6 month plan is often enough to move from “risky” to “defensible”.

Cookie banners have become wallpaper. Auditors and regulators know that, so they rarely stop at “Does the banner exist?”. They go further and ask a simple question: Can you prove what actually happens?

That’s where many organisations stumble. The banner looks fine, the policy has the right words, but when someone asks for logs, mapping or change history, the evidence is patchy at best.

In this article we look at five recurring evidence gaps that keep showing up in EU/UK cookie and tracking audits — and the practical steps you can take to close them.

1. Gap: Missing or unusable CMP logs

Most modern consent management platforms (CMPs) can generate consent logs. The problem is rarely that logs don’t exist — it’s that nobody can access, interpret or explain them when it matters.

Typical issues we see include:

  • Logs stored for too short a period compared to your retention policy or regulatory expectations.
  • Logs that record only “choice made” but not versioning information for the banner or vendor list.
  • No clear way to tie a complaint or user ID to a specific consent record.

From an auditor’s perspective, you should be able to answer questions like “What did your banner look like in March?” or “What consent did this user give on this date?” without starting a forensic project.

Practical fix: schedule a short session with whoever owns the CMP and:

  • Confirm how long logs are kept and whether that matches your policy.
  • Export a small sample and document what each field means.
  • Agree a simple process for pulling logs for complaints, DPIAs or audits.

2. Gap: Consent scope vs. actual tracking

The second gap is a mismatch between what your banner says and what your site actually does. On paper, users consent separately to analytics, marketing and functional cookies. In practice, tags often fire in bundles, and vendor scripts bring their own friends.

Common patterns include:

  • Tags that fire on page load regardless of consent choice because they were hard-coded for historical reasons.
  • Third-party pixels and SDKs added by marketing teams directly to a tag manager, bypassing CMP configuration.
  • “Legitimate interest” used as a catch-all, without a clear LIA/DPIA or real opt-out mechanism.

Auditors will often run simple tools or manual tests to see whether tracking changes when they reject non-essential cookies. If nothing changes, the banner is effectively cosmetic.

Practical fix: run a basic tag-by-tag mapping:

  • Export your tag manager configuration.
  • For each tag: purpose, category (necessary/analytics/marketing), and the consent signal it relies on.
  • Test a few pages with “accept all” and “reject all” and compare network calls and cookies actually set.

3. Gap: Withdrawals and preference changes

Many organisations can show consent being collected but struggle to demonstrate how withdrawals and preference changes are handled.

  • No clear “change cookie settings” link outside the banner.
  • Preference changes that do not actually disable the underlying tags.
  • No documentation to show how long it takes to apply opt-outs.

From a regulator’s standpoint, withdrawing consent must be as easy as giving it — and it must have a real effect.

Practical fix: pick a test user and walk through the full flow (accept → browse → reject) and confirm:

  • Marketing/analytics calls stop after opt-out.
  • Your CMP logs capture the preference change clearly.

4. Gap: Dark patterns and nudging in the UI

Even when the underlying tech is sound, banner design itself can create risk. Regulators focus on dark patterns — designs that steer users toward “accept all”.

Red flags include:

  • “Accept all” as a primary button while “Reject” is hidden or harder to find.
  • No “reject all” at the same level as “accept all”.
  • Language implying refusal will break the site when it won’t.

Practical fix: capture 1–2 iterations with screenshots and a short note explaining why the current design is fairer.

5. Gap: Vendor transparency & TCF signals

Many organisations rely on vendor lists (and sometimes frameworks like TCF) but can’t explain how vendors are controlled or what is shared.

Typical issues:

  • Vendor lists out of date compared to what’s implemented.
  • No documentation of which vendors are active per region/product.
  • Consent strings generated but never validated in real tests.

Practical fix: maintain a lightweight tracking & vendors register linking each vendor to:

  • Purpose and category
  • Regions where active
  • Consent signal / legal basis used

What “good” looks like to an auditor

  • You understand where tracking happens.
  • You can produce logs and change history without panic.
  • You have clear ownership and a realistic improvement plan.

A 90-day plan to tighten cookie evidence

  1. Weeks 1–4: Inventory & testing (map tags, test accept/reject, document mismatches).
  2. Weeks 5–8: Fix big gaps (re-wire tags, remove obvious dark patterns, align vendor lists).
  3. Weeks 9–12: Evidence & playbooks (log guide, evidence pull steps, add checks to campaigns).

Common pitfalls to avoid

  • “We changed the banner, so we’re done.” Evidence often fails in logs and tag configuration underneath.
  • One-off scans only. Without ownership and follow-up, results become shelfware.
  • Silos. Cookie compliance spans privacy, marketing, product and engineering.

What to do next

Start with a lightweight review of CMP configuration, tag mapping and logs. Then pick a few high-impact fixes that improve the evidence story — even if the stack isn’t perfect yet.

This article is for general information only and does not constitute legal advice. Always seek specific advice for your organisation and jurisdictions where you operate.