VakteyeVakteye
VAKTEYE
SolutionsPlansAboutContactInsightsCareers
Sign In
Vakteye audit

Cookie banner scanner: does reject actually reject?

Most cookie banner audits stop at "does a banner exist." Vakteye goes further: it clicks reject, waits, and watches the network layer for trackers that fire anyway. It compares the pre-consent baseline, the post-reject state, and the post-accept state — the same triple-diff a regulator's technical investigator would run.

Who it's for

  • Sites using a consent management platform (CMP) that want proof it is configured correctly
  • Companies that changed their cookie banner recently and haven't re-verified behavior since
  • Agencies and consultants who need an independent, evidence-based check before sign-off

What Vakteye tests

  • Whether clicking reject actually blocks non-essential cookies from being set
  • Whether trackers reappear after consent withdrawal (zombie cookies)
  • Whether legitimate-interest toggles are pre-ticked in the CMP's settings panel
  • Whether the number of clicks to reject exceeds the number of clicks to accept (dark-pattern friction)

Legal basis

ePrivacy Directive Article 5(3)

Storing or accessing information on a device requires prior consent, with narrow exceptions — the legal basis for cookie banners existing at all.

LEK 9 kap. §28

Sweden's national implementation of the ePrivacy cookie-consent requirement, enforced domestically alongside GDPR.

GDPR Article 6(1)(a)

When consent is the legal basis for a cookie, it must meet GDPR's standard for consent — informed, specific, and revocable in practice.

Example finding

Legitimate-interest toggle pre-checked

What we observed

Inside the CMP's "manage preferences" panel, several purposes are marked as active under legitimate interest by default, requiring the visitor to actively opt out rather than opt in.

Why it matters

EDPB guidance on cookie banners treats pre-ticked legitimate-interest toggles as a form of pre-consent — the opposite of what Article 5(3) requires. It is one of the most common findings in real audits.

FAQ

Vakteye's scanner recognizes the major consent management platforms and adapts its selectors accordingly, but the test itself is behavioral — it checks what happens on the network, not which vendor's logo is on the banner.

The scan still runs. It checks what is set on first load with zero interaction, which is often the more serious finding — non-essential cookies and trackers active before a visitor has made any choice.

A full behavioral pass, including the reject/accept/withdrawal comparison, typically completes within a few minutes per page tested.

Ready to see what your website actually does?

Book a full behavioral audit — the same methodology described above, run against your entire site with a complete evidence package.

Book a full audit
VakteyeVakteye
VAKTEYE

Website compliance checks for consent, policy, tracking and security. Vakteye shows what happened, what needs fixing and the evidence behind it.

Book demo
VakteyeVakteye
Privacy MonitoredContinuously monitored by Vakteye

PRODUCT

  • Plans
  • Trust center
  • Scanner identity
  • Security policy

COMPANY

  • About us
  • Contact
  • Insights
  • FAQ

LEGAL

  • Privacy Policy
  • Terms of Service
  • Cookies Policy
  • Sub-processors
  • Data Rights (GDPR)
  • For visitors

Contact

  • info@vakteye.com
  • LinkedIn

© 2026 Vakteye. All rights reserved.