Your Cookie Banner Is Probably Breaking GDPR — Here's the 20-Point Audit to Find Out

You installed a cookie banner plugin, clicked through the setup, and moved on. That was six months ago. You just received an email from a user asking why your site set cookies before they clicked 'Accept.' You don't know the answer. If that scenario sounds familiar, you're not alone — and the stakes are higher than most founders realize. GDPR does not care that you installed a plugin. It cares whether the plugin actually implements a valid consent mechanism. Those are very different things. 1. Why "I Have a Cookie Banner" Is Not the Same as "I'm GDPR Compliant" The gap between having a cookie banner and having a compliant cookie banner is where most founders get into trouble. GDPR defines valid consent in Article 4(11) and Article 7: it must be freely given, specific, informed, and unambiguous. An indication of agreement must involve a clear affirmative action — which means silence, pre-ticked boxes, or inactivity (like scrolling) cannot constitute consent. Three specific requirements