Your Cookie Banner Is Probably Breaking GDPR — Here's the 20-Point Audit to Find Out

You installed a cookie banner plugin, clicked through the setup, and moved on. That was six months ago. You just received an email from a user asking why your site set cookies before they clicked "Accept." You do not know the answer. That is the moment most founders discover that having a cookie banner and having a compliant cookie banner are two different things. The GDPR does not require the presence of a banner. It requires the quality of a specific consent mechanism — one that meets precise legal requirements the vast majority of pre-built plugins do not enforce by default. This article gives you the 20-point audit to find out where your implementation stands, before a Data Protection Authority does it for you. 1. Why "I Have a Cookie Banner" Is Not the Same as "I'm GDPR Compliant" The core legal requirement is in GDPR Article 4(11): consent must be "freely given, specific, informed, and unambiguous." Recital 32 adds the operative detail — "silence, pre-ticked boxes or inactivity s