CHECKLIST
Your banner works. Compliance is a different test.
A weak campaign shows up as a low conversion rate. A broken form shows up as a failed submission. A non-compliant consent banner shows up nowhere — it renders, it collects clicks, your tags fire, and the dashboard reports a healthy consent rate. Nothing on the surface tells you the consent underneath is invalid. You find out at the point where it costs the most to find out: a complaint, an audit, an enforcement review. And because the authorities judge the dialogue as a whole, the failure is rarely one tag or one cookie — it's every consent you collected on top of it.
1
missing criterion invalidates the consent in its entirety.
Meeting most of the requirements doesn't get you most of the way there.

Where consent banners actually break
The guide walks through five areas in order, with a box to check off against your own implementation:
- Design and function – Reject and Accept are rarely as equal as they look. Six rules decide whether your banner is a genuine choice or a dark pattern in the eyes of the authorities — and one of them is the reason a lot of "compliant" banners quietly aren't.
- Storage and withdrawal – Consent has a shelf life, and most teams have never set the clock. When it silently expires, how long it stays valid, and the withdrawal requirement are almost always wrong in every implementation.
- Necessary information – You're collecting two consents, not one. Reviewers expect specific details on the first level and others on the detail level: the guide maps which go where, so nothing lands in the wrong place.
- Correct categorization – Why Google Analytics and Tag Manager need consent even when they're set up to look like they don't, the GA4 behaviour that catches teams off guard, and which "privacy-friendly" tools still don't get a pass.
- Technical pitfalls – The setups that fire tags without consent, while everything looks fine on the surface, including two services that almost every site embeds, which have to be blocked by default.
A reference you work through, not a PDF you skim
If you own the website but not the legal review, if you've been told the consent banner is a plugin you install once and forget, or if you can't say for certain that your "Reject" button is genuinely equal to your "Accept," this is built to be actioned point by point — every criterion distilled from the requirements and recommendations of the European Data Protection Board (EDPB), the French CNIL, and the German Data Protection Conference (DSK), into a checklist you can share with legal and IT.

Before you download
A single missing criterion. The EU, German, and French authorities treat the consent dialogue as a whole — fail on any one requirement and the consent it collected is invalid in its entirety, not just for the point you missed.
A single missing criterion. The EU, German, and French authorities treat the consent dialogue as a whole — fail on any one requirement and the consent it collected is invalid in its entirety, not just for the point you missed.
Declining has to be an equivalent alternative to consenting. Rejecting can't take more clicks or effort than accepting, and colour or contrast can't be used to steer the eye toward "Accept." If consent can be given at the top level, users must be able to reject everything at that same level.
Declining has to be an equivalent alternative to consenting. Rejecting can't take more clicks or effort than accepting, and colour or contrast can't be used to steer the eye toward "Accept." If consent can be given at the top level, users must be able to reject everything at that same level.
Yes, without exception. In GA4's Advanced Consent Mode the script loads before the user chooses; if they reject or simply ignore the banner, GA4 sets no cookies but still sends "cookieless pings" to Google's servers. Because of the data involved and the potential to re-identify users despite IP anonymization, that requires consent — even though the setup can look compliant on inspection.
Yes, without exception. In GA4's Advanced Consent Mode the script loads before the user chooses; if they reject or simply ignore the banner, GA4 sets no cookies but still sends "cookieless pings" to Google's servers. Because of the data involved and the potential to re-identify users despite IP anonymization, that requires consent — even though the setup can look compliant on inspection.
Between 6 and 24 months, and immediately whenever the underlying services change. The decision also has to be stored so the banner doesn't reappear on every page view in the meantime.
Between 6 and 24 months, and immediately whenever the underlying services change. The decision also has to be stored so the banner doesn't reappear on every page view in the meantime.
By default, yes. Even tools positioned as privacy-friendly actively read details such as screen resolution, so they can't be used without consent out of the box. The guide covers the one measurement architecture that is genuinely consent-exempt.
By default, yes. Even tools positioned as privacy-friendly actively read details such as screen resolution, so they can't be used without consent out of the box. The guide covers the one measurement architecture that is genuinely consent-exempt.

Which problem can we solve for you?
Every criterion in this checklist describes the standard. Whether your own site meets it is a different question. JustRelate runs a 30-day parallel deployment alongside your existing stack — measuring up to 99% of visits and conversions through a consent-exempt architecture compliant with the ePrivacy Directive (the TDDDG in Germany, the LIL in France) and the GDPR — and shows you exactly where your current consent setup stands against the requirements in this guide.