This page contains a mix of compliant and non-compliant cookie behavior for testing cookie scanners like Cookiebot, Usercentrics, or OneTrust.
| Check | Expected | Why |
|---|---|---|
| Consent banner present | PASS | Banner rendered until cc_consent cookie is set |
| Granular category choice | PASS | Accept All / Only Necessary / Reject are distinct actions |
| Necessary cookies labelled | PASS | session_id flagged as strictly necessary, Secure; HttpOnly; SameSite set |
| Consent cookie itself | PASS | cc_consent has Secure and SameSite=Lax |
| Consent withdrawal | PASS | /cookies?consent=reject clears the consent cookie |
| Statistics cookie gated | PASS | stats_uid only set when cc_consent=all |
| Marketing cookie gated | PASS | mkt_campaign only injected when cc_consent=all |
| GA cookie set pre-consent | FAIL | _ga written by inline script on every page load |
| Facebook Pixel cookie pre-consent | FAIL | _fbp written by inline script on every page load |
| Tracking cookie from server | FAIL | tracking_id sent via Set-Cookie on every response, ignoring consent |
| Insecure marketing cookie | FAIL | ad_partner set without Secure, HttpOnly, or SameSite |
| Third-party tracking pixel pre-consent | FAIL | 1x1 image loaded from tracker domain before consent |
| Analytics script pre-consent | FAIL | Inline analytics runs regardless of cc_consent state |
| Cookie policy link | PASS | Banner and footer link to /cookies#policy |
The following fire on every page load, before any consent decision has been made:
_ga via document.cookie_fbp via document.cookieSet-Cookie: tracking_id=... on every responseSet-Cookie: ad_partner=... without Secure/HttpOnly/SameSite
These are only set after the user chooses Accept all:
stats_uid — set server-side via Set-Cookiemkt_campaign — injected client-side only when consent is allCurrently: neither cookie is set.
These are set regardless of consent, but are limited to what is strictly required:
session_id — Secure; HttpOnly; SameSite=Strictcc_consent — Secure; SameSite=Lax, stores the consent choice itselfHuman-readable summary of each category:
| Category | Cookie | Purpose | Lifetime |
|---|---|---|---|
| Necessary | session_id | Session identifier | Session |
| Necessary | cc_consent | Stores the consent choice | 6 months |
| Statistics | stats_uid | Anonymous visit analytics | 1 year |
| Statistics | _ga | Google Analytics visitor id | 2 years |
| Marketing | mkt_campaign | Campaign attribution | 30 days |
| Marketing | _fbp | Facebook Pixel visitor id | 90 days |
| Marketing | ad_partner | Third-party ad network id | 90 days |
| Unclassified | tracking_id | Unlabelled server tracker | 1 year |