You installed Cookiebot, the banner shows up, but is it truly compliant with the latest guidelines? We see it often: sites with an apparently working CMP that, under the hood, load marketing cookies before consent, fail to track rejection, or use scroll as implicit consent. Result: hefty fines from data protection authorities. At Meteora Web, we have been following businesses since 2017, and every project goes through a cookie compliance audit. Here’s what we learned about Cookiebot, from real configuration to common mistakes.
Why a CMP is not optional
The GDPR and the ePrivacy Directive require that users give informed, specific, and unambiguous consent before any non-essential cookie is loaded. A banner that only says “Accept All” with no granular choice is not compliant. That’s why you need a Consent Management Platform (CMP) like Cookiebot.
Cookiebot is one of the most popular CMPs because it offers automatic cookie scanning, categorization based on an updated database, and a consent interface with auditable logs. But correct installation is everything: if the script is placed wrong or categories don't match your tags, compliance is only superficial.
How Cookiebot works technically
When you insert Cookiebot's script into the <head> of your site, the CMP scans your domain and generates a list of detected cookies. You then assign each cookie to a category (Necessary, Preferences, Statistics, Marketing) and decide whether it should be blocked until consent. The banner appears based on the browser language, and users can choose which categories to accept.
Cookiebot also provides a unique consent ID per user, stored in logs to demonstrate traceability. In case of an audit, you can export these logs to prove consent was properly collected.
Blocking cookies before consent
This is the trickiest part. Cookiebot does not automatically block third-party cookies – you must configure placeholders for services (Google Analytics, Facebook Pixel, YouTube, etc.) so they don’t load until the user consents to the corresponding category. Use the Cookiebot API:
// Example: load Google Analytics only after statistics consent
if (CookieConsent && CookieConsent.consent.statistics) {
let ga = document.createElement('script');
ga.src = 'https://www.googletagmanager.com/gtag/js?id=UA-XXXXX-Y';
document.head.appendChild(ga);
}Alternatively, use Cookiebot's data-cookieconsent attribute to automatically block third-party scripts:
<script type="text/plain" data-cookieconsent="statistics">
// Google Analytics code
</script>This script only executes when the user accepts the “statistics” category.
Checking consent state via API
You can access real-time consent using window.CookieConsent. For example, to know if the user accepted marketing cookies:
if (CookieConsent && CookieConsent.consent.marketing) {
// Activate Facebook Pixel, remarketing scripts, etc.
}Common mistakes we see in client projects
1. Unverified auto-categorization. Cookiebot scans and auto-assigns cookies to categories. But if a third-party cookie is wrongly classified as “Necessary”, you might load it without consent. Always manually check the scanned cookie list and their categories.
2. No blocking for embedded services. YouTube videos, Google Maps, or social widgets load cookies even if the user hasn’t consented. Replace native iframes with Cookiebot placeholders that activate only after consent. Cookiebot provides templates for common services.
3. Banner not visible on mobile or AMP. Test on mobile devices; if you use AMP, ensure the banner is integrated correctly (Cookiebot has a specific AMP mode).
4. Outdated cookie policy. The CMP alone is not enough – you need a detailed cookie policy on your site, updated automatically with Cookiebot’s scanner. Set periodic scanning (e.g., every 7 days) to catch new cookies introduced by plugins or updates.
5. Still using implicit consent (scroll). Italian DPA has repeatedly stated that scrolling or continued browsing does not constitute valid consent. Cookiebot defaults to explicit consent (button click), but some themes disable it. Verify that the banner requires a positive action.
Alternatives to Cookiebot: when to switch?
Cookiebot is solid, but alternatives exist: OneTrust (more enterprise, expensive), Termly (simpler, less blocking features), or FancyPants (open source, customizable). Choose based on traffic volume and budget. At Meteora Web, we recommend Cookiebot for most SMBs because of its good value and clear documentation.
In summary — what to do now
- Check script placement — it must be in the <head> before any third-party scripts.
- Verify categorization — log into Cookiebot's panel, review the cookie list, and assign correct categories.
- Configure placeholders for all third-party services (analytics, social, ads).
- Enable periodic scanning (set weekly scans).
- Test behavior using incognito mode and developer tools to see which cookies load before consent.
- Update your cookie policy and link it to the CMP.
- Store consent logs — Cookiebot keeps them for 12 months; verify you have a backup.
If you already have a CMP but are unsure about compliance, run an audit with developer tools. A compliant site builds trust and avoids fines. For more on data security, read our article on OpenAI Lockdown Mode.
Sponsored Protocol
