A Node.js CLI that loads your site, clicks Reject All, and then checks whether tracking cookies and tracker requests really stop. Catches the most common GDPR cookie-consent violation — the one that got Kruidvat fined €600K and Coolblue fined €40K. Built by TrustYourWebsite as part of our compliance scanning suite.
npx @trustyourwebsite/cookie-consent-validator https://example.comRequires Node.js 18+. Want the full picture — security headers, DNS auth, accessibility, GDPR text and more — across your entire site? Run a free scan at trustyourwebsite.com.
Cookie Consent Validation Report
================================
URL: https://example.com
CMP Detected: Cookiebot
Reject Button: Found and clicked
Cookies Before Reject: 12
Cookies After Reject: 8
Tracking Cookies After: 3 ← VIOLATIONS
VIOLATIONS:
✗ _ga (.google-analytics.com) — Google Analytics cookie persists after rejection
✗ _fbp (.facebook.com) — Facebook cookie persists after rejection
✗ _gcl_au (.example.com) — Google Ads cookie persists after rejection
Tracker Requests After Reject: 2
✗ www.google-analytics.com — Google Analytics request fired after rejection
✗ connect.facebook.net — Facebook Pixel request fired after rejection
Result: FAIL — 5 violations found
Full scan with remediation advice → https://trustyourwebsite.comCookiebot, OneTrust, Quantcast, Didomi, Osano, Complianz, CookieYes, Iubenda, Borlabs, TrustArc, CookieFirst — plus generic detection in 13 languages.
Headless Chromium via Puppeteer loads the page like a user, captures cookies before and after rejection, and watches network traffic for tracker beacons.
Exit code 0 = pass, 1 = violations, 2 = error. JSON output with --format json. Drop it into GitHub Actions in one line.
Under GDPR and the Dutch Telecommunicatiewet, websites must stop all non-essential tracking when users reject cookies. Most cookie banners look compliant but aren't — tracking continues after Reject All. The Dutch Data Protection Authority (AP) has fined Kruidvat €600K and Coolblue €40K for non-compliant banners, and has warned 200+ organizations in 2025. This tool catches that — before a regulator does.
| CMP | Detection | Reject button |
|---|---|---|
| Cookiebot | #CybotCookiebotDialog | #CybotCookiebotDialogBodyLevelButtonLevelOptinDeclineAll |
| OneTrust | #onetrust-banner-sdk | #onetrust-reject-all-handler |
| Quantcast | #qc-cmp2-container | button[mode="secondary"] |
| Didomi | #didomi-notice | #didomi-notice-disagree-button |
| Osano | .osano-cm-window | .osano-cm-deny |
| Complianz | .cmplz-cookiebanner | .cmplz-deny |
| CookieYes | .cky-consent-container | .cky-btn-reject |
| Iubenda | .iubenda-cs-container | .iubenda-cs-reject-btn |
| Borlabs Cookie | #BorlabsCookieBox | [data-cookie-refuse] |
| TrustArc | #truste-consent-banner | .truste-consent-required |
| CookieFirst | #cookiefirst-root | [data-cookiefirst-action="reject"] |
| Custom / generic | Text-based detection | Multilingual button text matching (13 languages) |
# GitHub Actions
- name: Check cookie consent compliance
run: npx @trustyourwebsite/cookie-consent-validator https://your-site.com --format json --output consent-report.json
- name: Upload report
if: always()
uses: actions/upload-artifact@v4
with:
name: consent-report
path: consent-report.jsonimport { validateConsent } from '@trustyourwebsite/cookie-consent-validator';
const result = await validateConsent('https://example.com', {
timeout: 10000,
waitAfterReject: 3000,
screenshot: true,
});
console.log(result.cmpDetected); // 'Cookiebot'
console.log(result.rejectButtonClicked); // true
console.log(result.violations); // [...violations]
console.log(result.passed); // falseA real audit also covers HTTP security headers, DNS email authentication (SPF / DKIM / DMARC / BIMI / MTA-STS), accessibility, TLS configuration, GDPR policy text and broken-link health — on every page of your site. TrustYourWebsite runs all of those automatically and gives you a single fix-it report.
Grade your website's HTTP security headers from A+ to F — HSTS, CSP, X-Frame-Options and more.
Audit SPF, DKIM, DMARC, BIMI and MTA-STS for any domain.