Cookie Consent That Matches Reality: Reject Flows, GPC, and Post-Reject Tracking
How to make your cookie banner, runtime behavior, and privacy promises match what your site actually does.
Read articleLegal & Compliance guidance from real scan results.
Consent, tracking behaviour, policy disclosures, and California/EU privacy signals.
Tracking Continues After Cookie Rejection — GDPR Non-Compliance
The EDPB Cookie Banner Taskforce confirmed that when users reject cookies, all third-party tracking must stop immediately (EDPB Report, 2023-2024). Sweden's data authority ruled in March 2025 that even making the "accept" button more visually prominent than "refuse" violates compliance rules. If your trackers persist after rejection, you're not just non-compliant — you're creating audit evidence against yourself.
Open guideTracking Fires Before Cookie Consent — GDPR Violation Risk
CNIL fined Google €150M in 2021 for making cookie rejection harder than acceptance, then escalated to a €325M fine in September 2025 for inserting ads without valid consent (CNIL enforcement records). These aren't just big-company problems — the EDPB's 2024 guidelines confirm that any storage or access to information on user devices (cookies, URL tracking, pixel tracking) requires prior consent. Every unconsented tracker impression is a violation.
Open guideHigh-Risk Trackers Active Without Explicit Consent
GDPR classifies browser fingerprinting as personal data processing requiring prior consent, and session replay tools that capture form data or personal information require explicit, informed consent (GDPR Article 4). Non-compliance carries fines up to €20M or 4% of global annual revenue, whichever is higher (GDPR Article 83). These are the highest-risk trackers regulators look for because they're inherently invasive.
Open guideCCPA "Do Not Sell" Opt-Out Link Missing or Broken
The California Privacy Protection Agency fined Tractor Supply $1.35M in September 2025 — the largest CCPA fine to date — because their "Do Not Sell" link routed to a form that didn't actually stop data selling (CPPA Final Order). Disney paid $2.75M for similar non-compliance. CCPA fines are $2,663 per negligent violation and $7,988 per intentional violation (adjusted 2024 rates).
Open guideCookie Consent Banner Missing Reject Parity
The EDPB requires that cookie banners include an equally conspicuous "Reject All" button on the first layer — making rejection as easy as acceptance (EDPB Cookie Banner Taskforce Report, 2023). CNIL fined Google €150M specifically because acceptance required one click while rejection required five. Both French and Spanish authorities treat a missing reject button as a violation.
Open guidePrivacy Policy Doesn't Match Actual Tracking Behaviour
The FTC fined Avast $16.5M in 2024 specifically because their privacy policy claimed data was "pseudonymised and anonymised" while they actually shared granular, non-aggregated browsing data with subsidiary Jumpshot (FTC, 2024). Regulators now routinely audit whether privacy policy claims match runtime behaviour. Scavo checks this by comparing your declared tracking practices against what actually loads on your pages.
Open guidePrivacy Policy or Terms Not Easily Discoverable
The FTC fined Avast $16.5M in 2024 for collecting and selling browsing data that contradicted their privacy policy promises (FTC enforcement action). Privacy policies and terms must be easily discoverable — not just present, but findable. Most legal frameworks (GDPR, CCPA, FTC Act) require clear, accessible disclosure. A footer link is the minimum standard.
Open guide