methodology / Privacy & Compliance / #46

Cookie banner presence + CMP detection

#46 · Required · Web Standards · legal · Privacy & Compliance · weight 1.3% · impl implemented · method v1.2.0

Web Standards item — Legal

This factor is part of Web Standards — the table-stakes binary layer of the score. It is graded pass/fail and gates the Web Quality score; it is not weighted into Web Quality itself.

Pass criteria: Tolerant — passes on pass or warn.
Web Standards label: Cookie consent (where required)
Excluded for: Personal site
Only in: European Union, United Kingdom
Why it's required: GDPR and the UK GDPR require a CMP for any site setting non-essential cookies. Hard requirement in those jurisdictions.

Same factor, two depths.

What we measure

EU and California visitors are entitled to cookie controls. A compliant cookie banner is required if you serve them and use any tracking cookies.

How to improve your score

Install a Consent Management Platform — free tiers are available from Cookiebot, Termly, and Osano. Configure it to block tracking cookies until the visitor consents.

Implementation

stale · v1 · seeded — no connector publish yet · source: freshcoat-discovery/src/connectors/privacy-legal.ts:scoreCookieBanner

Detection method

Gated by jurisdiction: only applies in EU/UK or sites that set non-essential cookies. When applicable, scans homepage HTML for known CMP fingerprints (OneTrust, Cookiebot, Quantcast Choice, TrustArc, etc.).

Detection sources

Scoring bands · soft ladder

Score	Condition
100	recognised CMP fingerprint detected
30	applicable site (EU/UK or cookies set) but no CMP detected
n/a	non-EU/UK site that doesn't set non-essential cookies — factor n/a

Evidence-key dictionary

What every notes string the connector emits means. Surfaces in the per-domain dossier evidence column.

Applicability

Required tier — Web Standards floor item. Required by GDPR/ePrivacy/CPRA in EU/UK/CA. US-only sites without non-essential cookies get n/a. Connector-level gate added Apr 29 (previously this factor false-failed every US-only site).

Changelog

Facts

Ticket

WEBQ-46

Implementation notes

Detect known CMP signatures in the HTML and loaded scripts.

When this applies

Cookie consent banners are graded for sites serving EU / UK / California users (GDPR, ePrivacy, CPRA). Other sites get n/a..

Only scored for jurisdictions: European Union, United Kingdom.

Scoring

Scoring formulas are versioned with the methodology. The current method (v1.2.0) maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.

Cited by these standards

Standards in the Standards Library whose satisfiedBy requirement tree references this factor. Each link goes to the standard's full entry — methodology, scope, and the other factors it relies on.

Australian Privacy Act + APPs Privacy AU Australia's federal privacy law, anchored on the 13 Australian Privacy Principles. The 2024 reforms added a statutory tort for serious privacy invasions and direct OAIC penalty powers.
Colorado Privacy Act Privacy US Colorado's CCPA-shaped privacy law, with a hard requirement to honour Universal Opt-Out Mechanisms like Global Privacy Control as of July 2024.
Connecticut Data Privacy Act Privacy US Connecticut's CCPA-shaped privacy law. Like Colorado, recognises Global Privacy Control as a valid opt-out signal — and the AG has been actively issuing cure notices since 2023.
Cookie consent baseline Privacy global If you set non-essential cookies before the user explicitly opts in, you're failing the standard most regulators now enforce.
COPPA Privacy US If your site is directed at U.S. children under 13 — or you knowingly collect from them — you need verifiable parental consent before any data collection. The 2025 amendments tightened this further around third-party advertising.
EU ePrivacy Regulation (withdrawn) Privacy EU The proposed regulation that would have replaced the 2002 ePrivacy Directive. After eight years stuck in negotiation, the European Commission formally withdrew the proposal in 2025 — so the old Directive (and the cookie-consent baseline it underpins) remains the operative law.
GDPR Privacy EU If a single EU resident can see your site, GDPR can apply. Cookie consent, a real privacy policy, and not silently tracking by default are the visible signs of compliance.
HIPAA Privacy US If your site collects, displays, or transmits protected health information, HIPAA applies. A privacy policy plus an explicit Notice of Privacy Practices and a clear consent flow are the minimum visible signals.
LGPD Privacy OTHER Brazil's GDPR analogue. If you serve Brazilian residents, treat it like GDPR-lite: lawful basis, consent for cookies, a real privacy policy, and ANPD-shaped data subject rights.
Oregon Consumer Privacy Act Privacy US Oregon's CCPA-shaped privacy law. Distinctive for explicitly covering nonprofits (after a one-year delay) and for a specific right to know which third parties received your data.
PIPEDA Privacy CA Canada's federal privacy law for commercial activity. Built around 10 fair information principles — meaningful consent, accountability, and the right to access your data.
POPIA Privacy OTHER South Africa's GDPR analogue. Eight conditions for lawful processing, a real privacy notice, and an Information Officer registered with the Regulator.
Quebec Law 25 Privacy CA Quebec's modernised privacy law — stricter than PIPEDA and the rest of Canada. Mandatory privacy officer, granular consent, data portability, and a right to algorithmic transparency.
Texas Data Privacy and Security Act Privacy US Texas's CCPA-shaped privacy law. Notable for ditching the consumer-count threshold — almost any business doing business in Texas is in scope, except small businesses as defined by the SBA.
Utah Consumer Privacy Act Privacy US Utah's CCPA-shaped privacy law, the most business-friendly of the bunch. Higher revenue threshold, no UOOM requirement (yet), and a permanent 30-day cure period.
Virginia CDPA Privacy US Virginia's CCPA-shaped privacy law. Applies if you process the data of 100K+ Virginia residents (or 25K+ if you derive 50%+ revenue from selling data). No private right of action — Virginia AG enforces.

Version history

Version	Change	Date
v1.2.0	Factor introduced. Status: live. Scoring impl: implemented.	2026-04-25

← back to methodology