Cookies set by JavaScript after page load
Cookiebot crawls detect cookies available at load time. Scripts that set cookies conditionally, after interaction, or through lazy-loaded iframes often go undetected.
Consent Platforms
Cookiebot automates consent discovery. Lokker validates what it misses.
Cookiebot is widely used for automated cookie scanning and GDPR consent banners across European and US sites. Its scanner is a starting point, not a continuous guarantee. Lokker runs browser-level consent flows to confirm that the categories Cookiebot assigns actually control what the browser sends.
Consent Platforms
Cookiebot
Cookiebot, now part of the Usercentrics family, is a consent management platform that crawls websites for cookies, assigns categories, and deploys GDPR and ePrivacy-compliant consent banners and preference centers.
Trademark
Cookiebot is a trademark of Usercentrics A/S. Lokker is not affiliated with or endorsed by Usercentrics A/S.
Risk and failure modes
Where Cookiebot coverage has limits
Cookiebot is effective when its crawler discovers all relevant cookies and scripts. In practice, several common scenarios leave gaps.
Third-party script chains
A script that Cookiebot categorizes as Analytics may itself load another script that sets Advertising cookies. The chain is invisible to category-level blocking.
Consent mode integration gaps
Google Consent Mode v2 requires specific signal initialization before any Google tags fire. Cookiebot's Consent Mode integration needs to be validated on each page type where Google tags are present.
Consent and configuration
Cookie categories need network verification, not just crawler confirmation
A Cookiebot-scanned site with categories assigned to every cookie still needs testing to confirm that the rejection of Analytics stops analytics cookies and requests, not just cookies with the "Analytics" label.
The reject state should stop all non-essential outbound requests, including fetch and XHR calls to analytics endpoints, not just cookie setting.
The no-interaction state needs the same scrutiny: what loads before any banner choice is made often determines the outcome in regulatory inquiries.
GPC signal handling in Cookiebot varies by configuration version. Each deployment needs to be tested in a browser with GPC enabled.
Regional compliance
GDPR and US state laws require different handling
Cookiebot was designed for ePrivacy and GDPR opt-in requirements. US state laws use opt-out frameworks with different default expectations. California law as amended by the CPRA requires honoring GPC as an opt-out of sale and sharing for cross-context behavioral advertising. A Cookiebot configuration optimized for GDPR may not handle that path correctly, and both need separate validation.
How Lokker helps
How Lokker validates Cookiebot configurations
Lokker adds browser automation and network inspection to the category view Cookiebot provides, confirming that consent decisions translate into measurable changes in what the site sends.
Consent state comparison
Consent Validator runs each consent flow on the actual site and compares cookies and network requests state by state, producing a gap report that maps to Cookiebot category issues.
Explore Consent ValidatorContinuous portfolio monitoring
Privacy Edge scans properties on a repeating schedule so new uncategorized cookies are caught before the next Cookiebot scan is triggered.
Explore Privacy EdgeExplore Lokker
Products that address Cookiebot privacy risk
Each product links to its full details so you can explore features, view a demo, and understand how it applies to your Cookiebot deployment.
Validation
Consent Validator
Validates Cookiebot reject and GPC states against actual network behavior.
Explore Consent ValidatorIntelligence
Privacy Edge
Provides ongoing visibility across a portfolio between Cookiebot scan cycles.
Explore Privacy EdgeNext step
Validate Cookiebot consent behavior across your portfolio
Lokker runs automated browser-level consent flows and scans the network layer to confirm whether Cookiebot fires in states where it should not.