Today I present improvements to the tool https://loi25.certi360.com

Each test checks one aspect of the site’s behaviour regarding cookies and consent.

  • Presence of a consent banner Verification that a cookie management banner or bar is displayed on the first visit. The test detects known solutions (Complianz, OneTrust, Axeptio, Cookiebot, Tarteaucitron, etc.) or spots generic elements (modals, accept buttons).
  • Accessibility of the “Reject all” button Checks that a button allowing rejection of all non-essential cookies is present and clickable. If the banner offers a “Customize” button, the test also looks for a reject button in the preferences panel.
  • No non-essential cookies after rejection After clicking “Reject all,” comparison of cookies present before and after. Any newly created or modified cookie is classified (essential, non-essential, or unknown). Only non-essential and unknown cookies added or modified after rejection are considered failures.
  • Cookie classification (whitelist / blacklist) Each cookie is matched to a list of known patterns: essential cookies (session, CSRF, language preferences, consent management, etc.) or non-essential (analytics, advertising, social networks). Unrecognized cookies are treated by default as subject to consent.
  • HttpOnly attributes on sensitive cookies Verification that cookies related to session, authentication, or tokens (CSRF, JWT, etc.) carry the HttpOnly attribute to limit exfiltration risk via script (XSS).
  • Secure attribute on HTTPS sites Checks that session or authentication cookies are marked “Secure” when the site is served over HTTPS, to avoid transmission in clear text over unsecured channels.
  • SameSite / Secure consistency Detection of cookies with SameSite=None that do not carry the Secure attribute — a configuration rejected by recent browsers.

3. RETENTION PERIODS

  • Lifetime of non-essential cookies Verification that the expiry date of non-essential or unknown cookies does not exceed 13 months (CNIL recommendation / GDPR Article 82).
  • Lifetime of essential cookies Checks that cookies considered strictly necessary do not have excessive retention (recommendation: 12 months maximum).

4. DARK PATTERNS IN THE BANNER

  • Visual balance between “Accept” and “Reject” Analysis of the sizes and styles of accept and reject buttons. An “Accept” button noticeably larger or more prominent than “Reject” is flagged as a potential dark pattern.
  • Visibility of the reject button Verification that the reject button is not hidden (display: none, visibility: hidden, zero opacity) or rendered inaccessible.
  • Pre-checked options Detection of checkboxes already checked by default for non-essential categories (analytics, advertising, etc.), which goes against the principle of explicit consent (opt-in).

5. TRANSPARENCY AND INFORMATION

  • Presence of a link to the cookie policy Search on the page for an explicit link to the cookie management policy or privacy policy (by label or URL).
  • Accessibility of the link from the banner Verification that this link is offered directly from the consent banner, to facilitate user information before their choice.
  • Detection of Consent Mode usage Identification of sites using Google Consent Mode v2 (dataLayer, consent commands, gtag).
  • Compliance of states after rejection After clicking “Reject all,” reading of consent states in the dataLayer. Verification that analytics_storage and ad_storage are in “denied” when the user has refused.

7. THIRD-PARTY SCRIPTS AND CONTENT BEFORE CONSENT

  • Tracking scripts loaded before user choice Inventory of third-party scripts (Google Analytics, GTM, Facebook Pixel, Hotjar, LinkedIn, TikTok, Matomo, etc.) loaded on the page. Particular attention to scripts inserted in the <head>, likely to execute before any interaction with the banner.
  • Third-party service iframes Detection of third-party service iframes (YouTube, Vimeo, Google Maps, social widgets, etc.) loaded on page display without prior consent.

8. PERSISTENCE OF USER CHOICE

  • Recording of rejection in a cookie After clicking “Reject all,” verification that at least one cookie (or storage key) related to consent is created or updated, so the choice is honoured on subsequent visits.
  • Explicit rejection indicator Analysis of consent cookie values to detect a clear rejection indicator (rejected, denied, false, etc.), to ensure traceability of the choice.

9. TRACKING SERVICE IDENTIFICATION

  • Service classification by their cookies From cookie names, identification of services (Google Analytics, Facebook Pixel, Hotjar, LinkedIn, Matomo, OneTrust, Complianz, etc.) and assignment to a category: analytics, advertising, consent management, marketing automation, or infrastructure. This work allows clearer results (“Google Analytics detected” rather than technical identifiers).

10. THIRD-PARTY COOKIES AND “ZOMBIE” COOKIES

  • Third-party cookie count For each cookie, comparison of the cookie domain with the site domain (eTLD+1). Cookies whose domain does not match the site are counted as third-party cookies.
  • Zombie cookie detection After deleting all cookies and reloading the page, verification that no cookie reappears without new user action. Reappearance of cookies after purge signals “evercookie” or similar techniques, incompatible with the right to erasure.

11. ADDITIONAL CONTEXTS

  • Internal navigation test Visit to several internal site pages (links found on the home page) and comparison of cookies before/after navigation, to detect cookie deposits triggered during browsing.
  • CAPTCHA or WAF detection Identification of signals indicating a challenge page (CAPTCHA, WAF, Cloudflare, etc.), which may limit analysis scope and are mentioned in report limitations.
  • Access blocking handling If loading fails (for example 403), several request strategies are tried (User-Agent, browser parameters) to attempt an exploitable result.