Consent Platforms

Cookiebot automates consent discovery. Lokker validates what it misses.

Cookiebot is widely used for automated cookie scanning and GDPR consent banners across European and US sites. Its scanner is a starting point, not a continuous guarantee. Lokker runs browser-level consent flows to confirm that the categories Cookiebot assigns actually control what the browser sends.

Consent Validator Privacy Edge
Request a demo Validate consent behavior
Cookiebot logo

Consent Platforms

Cookiebot

Cookiebot, now part of the Usercentrics family, is a consent management platform that crawls websites for cookies, assigns categories, and deploys GDPR and ePrivacy-compliant consent banners and preference centers.

Trademark

Cookiebot is a trademark of Usercentrics A/S. Lokker is not affiliated with or endorsed by Usercentrics A/S.

Quick answer

Cookiebot is a consent management platform (CMP) that scans websites for cookies and tracking technologies, categorizes them, and presents visitors with a consent banner that lets them accept or decline tracking by category. When a visitor rejects non-essential cookies, Cookiebot blocks those technologies from loading. Cookiebot is IAB TCF 2.2 certified, supports Global Privacy Control (GPC), and is widely used by organizations subject to GDPR and CCPA. The platform works by periodically scanning your site's pages and building a cookie declaration. Gaps in coverage can occur if pages are added after the last scan, if cookies are loaded from JavaScript that the scanner did not execute, or if consent category assignments are incorrect. Lokker validates whether Cookiebot's block rules actually stop tracking at the network layer in each consent state.

Risk and failure modes

Where Cookiebot coverage has limits

Cookiebot is effective when its crawler discovers all relevant cookies and scripts. In practice, several common scenarios leave gaps.

Cookies set by JavaScript after page load

Cookiebot crawls detect cookies available at load time. Scripts that set cookies conditionally, after interaction, or through lazy-loaded iframes often go undetected.

Third-party script chains

A script that Cookiebot categorizes as Analytics may itself load another script that sets Advertising cookies. The chain is invisible to category-level blocking.

Consent mode integration gaps

Google Consent Mode v2 requires specific signal initialization before any Google tags fire. Cookiebot's Consent Mode integration needs to be validated on each page type where Google tags are present.

Consent and configuration

Cookie categories need network verification, not just crawler confirmation

A Cookiebot-scanned site with categories assigned to every cookie still needs testing to confirm that the rejection of Analytics stops analytics cookies and requests, not just cookies with the "Analytics" label.

  • The reject state should stop all non-essential outbound requests, including fetch and XHR calls to analytics endpoints, not just cookie setting.

  • The no-interaction state needs the same scrutiny: what loads before any banner choice is made often determines the outcome in regulatory inquiries.

  • GPC signal handling in Cookiebot varies by configuration version. Each deployment needs to be tested in a browser with GPC enabled.

  • Healthcare organizations using Freshpaint with Cookiebot should assign Freshpaint to the Statistics or Marketing category, not Necessary. Loading it before consent creates GDPR and CCPA exposure. See /topics/freshpaint for step-by-step categorization guidance.

Regional compliance

GDPR and US state laws require different handling

Cookiebot was designed for ePrivacy and GDPR opt-in requirements. US state laws use opt-out frameworks with different default expectations. California law as amended by the CPRA requires honoring GPC as an opt-out of sale and sharing for cross-context behavioral advertising. A Cookiebot configuration optimized for GDPR may not handle that path correctly, and both need separate validation.

How Lokker helps

How Lokker validates Cookiebot configurations

Lokker adds browser automation and network inspection to the category view Cookiebot provides, confirming that consent decisions translate into measurable changes in what the site sends.

Consent state comparison

Consent Validator runs each consent flow on the actual site and compares cookies and network requests state by state, producing a gap report that maps to Cookiebot category issues.

Explore Consent Validator

Continuous portfolio monitoring

Privacy Edge scans properties on a repeating schedule so new uncategorized cookies are caught before the next Cookiebot scan is triggered.

Explore Privacy Edge

Explore Lokker

Products that address Cookiebot privacy risk

Each product links to its full details so you can explore features, view a demo, and understand how it applies to your Cookiebot deployment.

Intelligence

Privacy Edge

Provides ongoing visibility across a portfolio between Cookiebot scan cycles.

Explore Privacy Edge

Consent Platforms

Other consent platforms tools

OneTrust logo
OneTrust
CookieYes logo
CookieYes
TrustArc logo
TrustArc
Ketch logo
Ketch
Sourcepoint logo
Sourcepoint
Didomi logo
Didomi

Side-by-side comparisons

Compare Cookiebot against alternatives

Evaluating Cookiebot alongside other options? Our comparison guides score each tool on privacy defaults, HIPAA BAA availability, GDPR data residency, GPC support, and consent compliance posture.

Consent Management Platforms

8 tools compared

Frequently Asked Questions

Common questions about Cookiebot

What does Cookiebot scan for?

Cookiebot scans websites by crawling pages and executing JavaScript to identify cookies, local storage items, tracking pixels, and script loads that originate from third-party domains. It then categorizes what it finds into functional, preferences, statistics, and marketing categories. The scan results are used to build the cookie declaration presented to visitors and to configure which categories Cookiebot blocks when a user rejects non-essential tracking. The scan must be re-run when site content changes, as cookies added after the last scan are not automatically blocked.

Does Cookiebot support GDPR and Global Privacy Control (GPC)?

Yes. Cookiebot is a certified CMP under the IAB Transparency and Consent Framework (TCF 2.2) and supports GPC signals. When GPC is detected, Cookiebot can be configured to automatically apply a reject state for non-essential tracking without requiring the user to interact with the consent banner. This is required in California under CCPA/CPRA and recommended under GDPR to respect browser-level privacy preferences. Configuration of GPC handling must be reviewed and tested independently to confirm it works as expected.

Is Cookiebot enough for GDPR compliance?

Cookiebot provides the consent banner and blocking infrastructure, but it is not a complete GDPR compliance solution by itself. Compliance also requires accurate categorization of all cookies and scripts, a data retention policy, a Data Processing Agreement with third-party vendors, privacy policy disclosures, and a process for handling data subject access requests. Additionally, Cookiebot's blocking must be verified at the network layer: a consent banner that displays and a CMP that blocks are different things, and the gap between them is where most compliance failures occur.

Next step

Validate Cookiebot consent behavior across your portfolio

Lokker runs automated browser-level consent flows and scans the network layer to confirm whether Cookiebot fires in states where it should not.

Request a demo See Consent Validator