Compliance Copilot
Compliance Copilot scans your site configuration and cookie inventory for 7 common compliance issues, assigns severity levels, and provides actionable recommendations — including one-click fixes for the most common problems.
This is a Pro+ feature.
How to access
- Open your site in the CookieBoss dashboard
- Navigate to the Site Detail page
- Find the Compliance Copilot card
- Click Run Check to analyze your site
The 7 compliance checks
1. Unclassified cookies
Cookies in your inventory that haven’t been assigned to a category (necessary, functional, analytics, or marketing). If more than 20% of your cookies are unclassified, this is flagged as high severity.
Unclassified cookies can’t be properly blocked or allowed based on visitor consent, which creates a compliance gap.
2. Pre-consent tracking
Detects scripts and cookies that fire before the visitor has given consent. This is the most serious compliance risk and is flagged as critical severity when your site is configured for opt-in consent (signal-only mode with opt-in geo rules).
Pre-consent tracking means visitor data is collected before they’ve had a chance to accept or reject — a direct GDPR violation.
3. Missing Google Consent Mode V2
Checks whether Google Consent Mode V2 is enabled. Without GCM V2, Google tags can’t operate in their restricted “cookieless” mode, which affects both compliance and ad measurement. Flagged as medium severity.
4. Excessive cookie expiry
Identifies cookies with expiration times longer than 365 days. Many privacy regulations and browser vendors consider long-lived cookies a tracking concern. Flagged as medium severity.
5. Unknown cookie providers
Cookies from domains that aren’t in the CookieBoss cookie database. These may be legitimate third-party services, but they should be reviewed and classified. Flagged as low severity.
6. Missing reject-all button
Checks whether your banner includes a visible “Reject All” button for visitors in opt-in regions (EU/EEA/UK). GDPR guidance requires that rejecting cookies must be as easy as accepting them. Flagged as high severity.
7. Stale scan
Your most recent cookie scan is more than 30 days old. Websites change frequently — new scripts get added, third-party tags update, and new cookies appear. Regular scanning keeps your cookie inventory accurate. Flagged as medium severity.
Severity levels
| Severity | Color | Meaning |
|---|---|---|
| Critical | Red | Immediate compliance risk — fix before anything else |
| High | Orange | Significant issue that could result in regulatory action |
| Medium | Yellow | Should be addressed, but not an urgent blocker |
| Low | Blue | Minor issue or best-practice recommendation |
One-click fixes
Some risks include a Fix button that applies the recommended change immediately:
- Missing GCM V2 — enables Google Consent Mode V2 in your site configuration
- Missing reject-all button — switches to full-blocking mode with a visible reject button
- Stale scan — triggers a new cookie scan
After applying a fix, re-run the compliance check to confirm the issue is resolved.
AI recommendations
Each detected risk includes an AI-generated recommendation explaining what the issue means, why it matters, and the specific steps to fix it. These recommendations are tailored to your site’s configuration and cookie inventory.
Run checks after every scan
Run compliance checks after every cookie scan to catch new issues early. When new scripts or cookies appear on your site, Compliance Copilot will flag them immediately.