CMP configuration functionality_storage

Cookiebot (CMP) — consent fix

Cookiebot is detected as CMP, but the configuration contains common errors that undermine the validity of consent: (1) categories are enabled by default (opt-out instead of opt-in), (2) the reject button ("Deny") has less visual prominence than the accept button, which is considered a dark pattern. Both violate GDPR requirements for free, informed consent.

Domains

  • cookiebot.com
  • consent.cookiebot.com
  • consentcdn.cookiebot.com

Cookies

  • CookieConsent

Cookiebot is not a tracker, but a Consent Management Platform (CMP). If our scan flags Cookiebot as a violation, it does not mean that Cookiebot itself is stealing data. It means that your configuration of Cookiebot violates the GDPR. As a result, the consent you collect via the banner is legally invalid.

Why Cookiebot triggers a warning

Many websites install Cookiebot and leave the default settings as they are, or try to steer the visitor via so-called "Dark Patterns".

The three most common mistakes are:

  1. Pre-ticked boxes (Opt-out): The categories for statistics and marketing are already checked by default. The visitor must actively uncheck them. Under the GDPR, only active "Opt-in" is valid.
  2. No deny button: There is a large, prominent 'Accept all' button, but the 'Deny' button is missing, hidden under 'Show details', or intentionally coloured the same as the background to make it invisible.
  3. Failed Auto-blocking: Cookiebot is installed, but scripts (such as Google Analytics or the Meta Pixel) still load via Google Tag Manager (GTM) before the visitor has clicked anything.

The Fix: Make Cookiebot GDPR-compliant

Follow these steps in the Cookiebot management environment (dashboard) to make your banner fully compliant.

1. Uncheck all boxes by default (Opt-in)

  1. Log in to your Cookiebot dashboard.
  2. In the menu, go to Configuration and then to the Banner tab.
  3. Locate the setting Category defaults.
  4. Ensure that the toggles/checkboxes for Preferences, Statistics, and Marketing are set to OFF. (Only Necessary may remain checked).

2. Make denying as easy as accepting

  1. Within the Banner tab, go to the settings for Appearance or the banner type.
  2. Choose a layout where the 'Deny' button is directly visible on the first layer of the banner, next to the 'Allow all' button.
  3. Do not use deceptive colours. Give the deny button a normal contrast so that it is just as readable as the accept button.

3. Test if scripts actually wait

If your banner is perfectly configured, but your scripts ignore the banner, you still have a data leak. Have you implemented GTM? Make sure you use the Cookiebot GTM template, or work with Consent Mode v2 so that tags in GTM only fire after approval.

How to Verify the Fix

Perform a full test via your browser to ensure your changes work.

  1. Open your website in an incognito window.
  2. Review the banner: are statistics and marketing unchecked by default? Is there a clear deny button?
  3. Click on Deny.
  4. Open Developer Tools (F12) and check the Network tab. There must be no network requests to Facebook, Google Ads, or other trackers visible.

Not sure if the fix worked, or want to verify that no other scripts are leaking data? Run a free scan with ConsentChecker.eu for instant confirmation.

Sources

Go directly to Cookiebot

View the official documentation and configuration options for Cookiebot.

View Cookiebot →

Check your own site

Scan your website for free to see if Cookiebot (CMP) (or other trackers) loads before consent.

Start free scan →