Cookie-Script Alone May Not Be Enough: What a Scan Reveals Beyond the Banner

Cookie-Script is a CMP, Not Everything

Cookie-Script does one job exceptionally well: it provides a consent banner, manages cookie declarations and blocks trackers until consent is given. It costs roughly £6/month and serves over 100,000 tracker definitions. If your compliance need is "PECR Regulation 6 storage and access," Cookie-Script solves that problem.

But PECR is not your only compliance obligation. Under the UK GDPR, the ICO guidance on storage and access technologies and the Copyright Designs and Patents Act 1988, your website must handle far more than cookies. A CMP alone cannot verify this.

What PECR Actually Requires

The Privacy and Electronic Communications Regulations 2003 (PECR), as updated by the Data (Use and Access) Act 2025 (which took effect 5 February 2026), requires you to obtain prior consent "to the UK GDPR standard" before storing or accessing information on users' devices via cookies or similar technologies.

Three new exemptions were introduced in February 2026 for certain categories: network authentication, session management and user-controlled preferences. Outside these narrow cases, PECR Regulation 6 says you must tell users what you do and get consent first.

Cookie-Script handles this enforcement. When a user clicks "Reject All," the banner blocks non-essential cookies. The question is whether it blocks them reliably. And whether everything else on your site is compliant.

What a Scanner Checks That a CMP Does Not

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Compliance area</th> <th className="border border-slate-300 px-3 py-2 font-semibold">CMP (Cookie-Script)</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Compliance scanner</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Cookie consent banner</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong>. Core function.</td> <td className="border border-slate-300 px-3 py-2">Tests whether the banner you have actually works.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Trackers respect reject decision</td> <td className="border border-slate-300 px-3 py-2">Sets the consent flag. Cannot verify what scripts do with it.</td> <td className="border border-slate-300 px-3 py-2">Clicks Reject all and watches whether scripts still fire.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Google Fonts IP leak</td> <td className="border border-slate-300 px-3 py-2">Not covered.</td> <td className="border border-slate-300 px-3 py-2">Detected.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">YouTube and Maps embeds gated</td> <td className="border border-slate-300 px-3 py-2">Not covered.</td> <td className="border border-slate-300 px-3 py-2">Detected per embed.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Image copyright and licensing</td> <td className="border border-slate-300 px-3 py-2">Not covered.</td> <td className="border border-slate-300 px-3 py-2">Flags stock-photo and unlicensed-source patterns.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Privacy notice completeness (Art 13)</td> <td className="border border-slate-300 px-3 py-2">Not covered.</td> <td className="border border-slate-300 px-3 py-2">Checks presence and key disclosures.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Accessibility (WCAG 2.1 AA)</td> <td className="border border-slate-300 px-3 py-2">Not covered.</td> <td className="border border-slate-300 px-3 py-2">axe-core run on every page tested.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">SSL and security headers</td> <td className="border border-slate-300 px-3 py-2">Not covered.</td> <td className="border border-slate-300 px-3 py-2">HSTS, CSP, X-Frame-Options, certificate expiry all tested.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Trader identification (Companies Act and E-Commerce Regs)</td> <td className="border border-slate-300 px-3 py-2">Not covered.</td> <td className="border border-slate-300 px-3 py-2">Checks for company number, VAT, contact details.</td> </tr> </tbody> </table> </div>

1. Do Rejected Cookies Actually Stop Firing?

A CMP sets the banner. It does not verify that your third-party integrations respect the consent signal. TrustYourWebsite's scan automatically loads your site, rejects all cookies and checks whether Google Analytics, Meta Pixel, Hotjar or other trackers still fire. Many websites fail this test because their JavaScript doesn't check the consent flag before sending data. Cookie-Script provides the flag. Your developer must read it.

2. Google Fonts Data Leaks

Google Fonts, by default, sends visitor IP addresses to Google's servers in the United States. This is personal data under the UK GDPR. Even if your cookie banner is perfect, loading Google Fonts without prior consent or a legal basis violates Article 6 GDPR. The solution is to self-host the fonts or use a privacy-friendly alternative like Bunny Fonts. A CMP does not detect this. A scanner does.

3. YouTube Embeds and Tracking

Embedding YouTube videos initiates Google tracking via cookies and Local Storage. The "nocookie" variant still sets cookies if the user clicks play. Cookie-Script cannot monitor embedded videos across your site. A scan reveals every embed and flags non-consent-gated implementations.

4. Image Copyright and Licensing

Under the CDPA 1988, copyright in images is automatic. Using stock images without permission or a valid license is infringement. The ICO does not enforce copyright (that is the responsibility of rights holders), but a due-diligence scan flags unlicensed images, stock photography without proper attribution and copyright notices missing from your terms. Cookie-Script does not touch this.

5. Privacy Policy Completeness

UK GDPR Article 13 (processing information collected) and Article 14 (processing information not from the data subject) require specific disclosures. Your privacy policy must name all third parties you share data with, explain your legal basis for processing and detail retention. A CMP does not audit policy. A scanner checks for clarity, completeness and whether the policy actually matches what your site does.

6. Accessibility

The Equality Act 2010 requires you to make reasonable adjustments to ensure people with disabilities have equal access to your goods and services. The standard is WCAG 2.1 Level AA (or WCAG 2.2 for public sector from 2026). Accessibility is a distinct compliance obligation from cookies. Cookie-Script does not measure it. A scan tests keyboard navigation, colour contrast, alt text and heading structure.

7. SSL and Security Headers

A proper SSL certificate and HTTP security headers (HSTS, CSP, X-Frame-Options) are not cookie consent issues. But they are essential to protect your users from man-in-the-middle attacks and injection. Cookie-Script does not audit these. A scanner does.

8. Imprint and Contact Details

UK websites do not have a legal "imprint" requirement (that is EU-specific). But you must have a way for users to contact you and a clear trading name. This is part of the Consumer Rights Act 2015 (distance selling) and, indirectly, the Online Safety Act 2023. A privacy-first scan flags missing contact information.

The Complementary Model

Cookie-Script and a compliance scanner serve different purposes. Think of it this way:

• Cookie-Script is tactical: it manages consent for cookies specifically, blocking trackers until users agree.
• A scanner is strategic: it audits all compliance obligations on your site and tells you which ones you are missing.

You need both. A CMP without a scan is like a seatbelt without airbags. It handles one risk well but leaves others unmanaged.

How to Use Them Together

1. Set up Cookie-Script (or another CMP like Cookiebot or CookieYes) to manage your banner and tracker consent.
2. Run a compliance scan to verify the banner actually blocks cookies and to identify non-cookie compliance gaps.
3. Fix issues the scan reveals: self-host Google Fonts, add missing disclosures to your privacy policy, gate YouTube embeds behind consent, check image licensing and test accessibility.
4. Run the scan again after each fix to confirm improvement.

The Bottom Line

Cookie-Script is excellent at what it does. But it solves one problem: cookie consent. Under the UK GDPR, PECR, CDPA 1988, Equality Act 2010 and consumer protection rules, "cookie consent" is just one of many compliance needs. A scanner fills the gap by verifying that your banner works correctly and by catching the compliance issues that fall outside a CMP's scope.

If you are using Cookie-Script alone, you are compliant on consent. But you may still be non-compliant on data privacy, security, accessibility and copyright. A scan tells you which.

Sources and Further Reading

• ICO guidance on storage and access technologies
• PECR: Privacy and Electronic Communications Regulations
• Data (Use and Access) Act 2025: Royal Assent
• Google Fonts and GDPR: Privacy implications
• YouTube embeds and GDPR compliance
• CDPA 1988: Copyright, Designs and Patents Act
• Equality Act 2010 and website accessibility
• WCAG 2.1 Level AA standards