Cookiebot, CookieYes, and Usercentrics are three of the most widely deployed consent management platforms in Europe. All three are technically capable. All three can produce a GDPR-compliant cookie banner when configured correctly.
That last part is where things go wrong.
A cookie banner compliance audit is not an evaluation of the platform itself. It is an evaluation of how the platform has been implemented on your specific website, with your specific cookies, for your specific jurisdiction. The tool does not determine compliance. The configuration does.
This distinction matters because organizations regularly assume that deploying a recognized CMP is sufficient. It is not. Regulators do not audit the vendor. They audit you.
Why “having a CMP” is not the same as being compliant
The EU’s data protection authorities have issued fines and enforcement actions against organizations that used legitimate consent management platforms but configured them incorrectly. The French CNIL, the Belgian DPA, and the Dutch AP have all published decisions where the presence of a well-known CMP was not a mitigating factor when the implementation was non-compliant.
In practice, most issues uncovered in a cookie banner compliance audit are not platform-related, but configuration errors that go unnoticed without independent validation.
Common failure modes include:
- Cookies firing before consent is given
- Pre-ticked boxes or implied consent logic
- No genuine reject option on the first layer of the banner
- Consent records that do not include the exact version of the policy shown to the user
- Cookie scans that are outdated and miss newly added third-party scripts
Each of these can occur with Cookiebot, CookieYes, or Usercentrics. The platform is not the problem. The configuration is.
What a cookie banner compliance audit actually covers
A proper audit validates implementation, not just presence. For any CMP, the audit should cover six core areas.
1. Pre-consent cookie firing
The single most common failure. Using your browser’s developer tools (or an automated scanner), you verify that no non-essential cookies are set before the user has made an active choice. This includes analytics cookies, advertising pixels, social media embeds, and any third-party tracking loaded via Google Tag Manager or a similar container.
With Cookiebot, this typically requires verifying that the “automatic blocking” mode is active and that all scripts have been correctly categorized. Miscategorized scripts are common when new tags are added to GTM without updating the Cookiebot cookie declaration.
With CookieYes, the blocking method relies on a script-based approach that can break if the CMP script loads asynchronously or after other third-party tags. This is a deployment issue that requires technical verification, not just a visual check of the banner.
With Usercentrics, the Data Layer mode and the interaction with Google Consent Mode v2 both require accurate mapping. If Consent Mode is enabled but signals are not being passed correctly to GTM triggers, cookies may fire despite the consent setup appearing correct on the surface.
In real-world environments, this remains the most frequent critical finding, particularly in setups involving Google Tag Manager and multiple third-party scripts, something consistently identified during a Nixon Pro Privacy Audit.
2. Consent before cookies, not just before content
There is a subtle but legally significant distinction between blocking content (such as a YouTube embed) and blocking the cookies that content would set. An audit checks both. Some implementations block the visible embed but still allow the iframe’s tracking cookies to fire, particularly in older CookieYes deployments using content blocking without full script blocking.
3. Banner design and dark patterns
Since the EDPB published its Guidelines 03/2022 on dark patterns, European data protection authorities including the French CNIL and the Swedish IMY have actively enforced against non-compliant cookie banner design. An audit checks:
- Whether “Accept” and “Reject” options are equally prominent
- Whether the color or placement of the reject option discourages its use
- Whether the user is required to navigate multiple layers to reject
- Whether the language used for consent is clear and specific, not vague
All three platforms allow compliant design. All three also allow non-compliant design if the person configuring the banner is not aware of the requirements. This is a configuration issue, not a platform limitation.
4. Consent record accuracy
GDPR requires that you can demonstrate consent was freely given, specific, informed, and unambiguous. In practice, this means your CMP must log:
- The timestamp of the consent event
- The exact consent categories the user accepted or rejected
- The version of the cookie policy displayed at the time
- The user’s IP address or an anonymized identifier
Cookiebot provides this through its consent log. CookieYes stores consent records server-side or in a cloud dashboard depending on the plan. Usercentrics maintains a consent history in its reporting module. An audit validates that these records are complete, accessible, and would hold up under a subject access request or regulatory inquiry.
5. Cookie scan freshness and completeness
All three platforms offer automated cookie scanning. The scan identifies cookies set on your domain and categorizes them. The problem is that scans are only accurate at the time they run. If you add a new analytics tag, a retargeting pixel, or a support chat widget after the last scan, those cookies will not appear in your declaration.
An audit cross-references the live cookie declaration against an independent scan run at the time of the audit. Gaps between the two are a direct compliance risk. Regulators can and do run their own technical scans. If your declaration lists 12 cookies and a scan finds 27, that discrepancy requires explanation.
6. Geo-Targeting and jurisdictional logic
GDPR applies to EU residents. CCPA applies to California residents. LGPD applies to Brazilian residents. If your website serves users across multiple jurisdictions, your CMP must serve the correct banner based on location.
All three platforms support geo-targeting. An audit verifies that the geo-targeting logic is active, that the correct legal frameworks are assigned to the correct regions, and that fallback behavior is defined for users whose location cannot be determined.
Platform-Specific risk areas
Cookiebot was acquired by Usercentrics in 2021 and is now positioned as the SMB-focused product within the same organization. It remains one of the most widely deployed CMPs in Europe, particularly among WordPress and Shopify sites.
The most common audit findings with Cookiebot involve GTM integration. When Google Tag Manager is used alongside Cookiebot, the order in which scripts load matters significantly. If GTM fires before Cookiebot’s consent signal is received, tags inside GTM will execute regardless of consent settings. The fix requires configuring GTM triggers to wait for the Cookiebot consent event, which is a technical step that many non-developer configurations skip.
A secondary risk area is the cookie declaration page. Cookiebot auto-generates a declaration, but it must be embedded on a visible, accessible page. If the declaration page is missing, broken, or returns a 404, users cannot access the information they are legally entitled to see before consenting.
Cookiebot also raised its Premium pricing significantly in mid-2025, which has led some organizations to downgrade plans. Older free-tier configurations lack some of the more advanced blocking and reporting features, creating compliance gaps that were not present before the pricing change.
CookieYes is commonly used by smaller websites and e-commerce operations, particularly those built on WordPress with WooCommerce or similar platforms. Its ease of setup is a strength and a risk: the low barrier to deployment means many organizations configure it without fully understanding what each setting does.
The most common audit findings with CookieYes involve the interplay between its banner categories and the actual cookies present on the site. By default, CookieYes categorizes cookies based on its own database. If a cookie is not in that database, it may be placed in the wrong category or left uncategorized. Uncategorized cookies are a compliance risk because the user cannot make an informed choice about what they are consenting to.
CookieYes also introduced a “revisit consent” feature that allows users to change their consent choices. An audit checks that this feature is accessible, that it functions correctly on all device types, and that when consent is withdrawn, the relevant cookies are actually removed or blocked going forward.
Usercentrics is typically found in mid-to-large enterprise environments and is one of the more technically sophisticated CMPs on the market. Its integration depth with Google Consent Mode v2, the IAB Transparency and Consent Framework (TCF 2.2), and custom data layer configurations makes it powerful. It also makes misconfiguration more consequential.
The most common audit findings with Usercentrics involve TCF vendor lists. The TCF framework requires that every vendor with whom consent is shared is registered in the IAB Global Vendor List. If your site uses third-party vendors that are not on that list, or if your Usercentrics configuration includes vendors that are not actually active on your site, the consent record is inaccurate in either direction.
A second risk area is Consent Mode v2 signal accuracy. Usercentrics supports both “Basic” and “Advanced” Consent Mode. In Basic mode, all signals default to denied until consent is given. In Advanced mode, pings are sent to Google without personal data prior to consent. An audit checks which mode is active, whether the signals match the actual consent state, and whether the GTM implementation reflects the correct trigger conditions.
What regulators look for
European DPAs have become more technically specific in their enforcement criteria since 2023. They are no longer evaluating whether a banner exists. They are evaluating whether it works as claimed.
The key questions a regulator will ask are:
- Can you demonstrate that no non-essential cookies fired before the user consented?
- Can you produce a consent record for a specific user on a specific date?
- Is your cookie declaration accurate and current?
- Is the reject option as accessible as the accept option?
- Can users withdraw consent as easily as they gave it?
If your answer to any of these is “we think so” rather than “here is the evidence,” you have an audit finding.
The case for independent validation
All three platforms offer their own reporting and compliance features. These are useful. They are not the same as an independent audit.
When a CMP vendor tells you that your implementation is compliant, they are telling you that the configuration passes their internal checks. Those checks are designed around the platform’s own logic. They do not account for conflicts with other scripts on your site, GTM misconfigurations, outdated cookie declarations, or jurisdictional logic errors that fall outside the platform’s scope.
An independent audit, such as the Nixon Pro Privacy Audit, evaluates your actual website, not your CMP dashboard. It tests what happens in a real browser, under real conditions, before and after consent is given. It produces documentation that you can present to a regulator, an auditor, or your legal team with confidence.
If you have deployed Cookiebot, CookieYes, or Usercentrics and have not had an independent validation in the past 12 months, you are relying on configuration assumptions rather than verified compliance.
A structured audit gives you defensible evidence instead of guesswork. You can start with a Nixon Pro Privacy Audit to benchmark your current setup.
Frequently Asked Questions (FAQ)
