GDPR: legal pages, third-party trackers and cookie banners under the microscope

A missing privacy policy is a legal blind spot. A cookie banner without a reject button is a ticking fine. Tests #34 and #57 catch both before a regulator does.

GDPR compliance is not optional. Since 2018, every website targeting European users must display clear legal pages, obtain consent before dropping cookies, and provide a genuine opt-out mechanism. Yet in 2026, a staggering number of WordPress sites still load Google Analytics before any consent is given — or simply have no cookie banner at all.

The consequences are not theoretical. In 2024 alone, European data protection authorities issued over 2 billion euros in fines. Small businesses are not exempt: the French CNIL regularly sanctions SMEs for missing privacy policies and non-compliant cookie banners. For agencies and freelancers, this is both a risk and an opportunity.

Orilyt runs two complementary tests. Test #34 checks whether the site displays mandatory legal pages — legal notice, privacy policy, terms of service. Test #57 detects whether a cookie consent mechanism exists and is properly implemented. Together, they cover the two pillars of GDPR website compliance.

Test #34: Are your legal pages present?

Test #34 scans the full HTML source of the audited page for keyword signals across four categories:

1. Legal notice (mentions légales / imprint) — required by law in France, Germany and most EU countries. The test looks for "legal notice", "imprint", "mentions légales" in links, headings and body text
2. Privacy policy — the cornerstone of GDPR compliance. The test searches for "privacy policy", "politique de confidentialité", "personal data" and equivalent phrases in FR, EN, ES, DE
3. Terms of service / CGV — essential for e-commerce and SaaS sites. Keywords include "terms and conditions", "conditions générales de vente", "terms of use"
4. Cookie policy — a dedicated page explaining what cookies the site uses. The test detects "cookie policy", "politique de cookies" and related phrases

The scoring is straightforward: 2 or more categories detected = score 100. Only 1 category found = score 70 (something is missing). No legal page signals at all = score 20. The test uses multilingual keyword matching in French, English, Spanish and German.

Test #57: Is there a cookie consent banner?

Test #57 takes a different approach. Instead of looking for text, it scans the HTML for technical signatures of consent management platforms (CMPs):

1. Known CMP platforms — the test recognizes 20+ platforms: Cookiebot, OneTrust, Axeptio, Tarteaucitron, Complianz, Didomi, Iubenda, Borlabs Cookie, and more. If any platform script or identifier is found, score = 100
2. IAB TCF v2 API — the industry standard consent framework. The test checks for the __tcfapi function and Google Consent Mode signals
3. Generic banner patterns — CSS classes like "cookie-consent", "cookie-banner", "gdpr-banner", data attributes like data-consent-type, and button text like "Accept cookies" in four languages

If a known CMP platform is detected, the score is 100. If only generic signals are found (but no recognized CMP), the score is 80 — a consent mechanism exists but may not be robust. If nothing is found at all, the score drops to 20.

The absence of any consent mechanism is the highest-risk finding. It means cookies and trackers can fire freely — a direct violation of the ePrivacy Directive and GDPR.

The 4 most common violations

After analyzing thousands of WordPress sites, the same violations appear again and again:

1. No privacy policy page — the site has no page explaining what personal data is collected, why, and by whom. This is the most basic GDPR requirement and the most frequently missing
2. Tracking scripts loading before consent — Google Analytics, Facebook Pixel, or HotJar fire immediately on page load, before the visitor has interacted with any cookie banner. This is a direct violation of the "prior consent" principle
3. Cookie banner without a reject option — the banner has an "Accept all" button but no equivalent "Reject all" button. CNIL and other regulators have been clear: rejecting must be as easy as accepting
4. No cookie banner at all — the site drops cookies without any notice or consent mechanism. Surprisingly common on sites that "don't think they use cookies" but load third-party scripts that do

These are not edge cases. They affect the majority of WordPress sites. And every one of them is detectable by Orilyt's tests #34 and #57.

How to fix GDPR violations

The good news: most GDPR compliance issues are fixable in under an hour. Here is the recommended workflow:

1. Add missing legal pages — create a privacy policy, legal notice and cookie policy page. For WordPress, plugins like Complianz or Iubenda generate legally sound templates. For custom sites, adapt a model from your local data protection authority
2. Install a consent management platform — Tarteaucitron (free, French), Cookiebot, or Complianz (WordPress plugin) are popular choices. Configure it to block all tracking scripts until consent is given
3. Verify prior consent — after installation, test the site with browser developer tools. Open the Network tab, clear cookies, and reload. No tracking requests should fire before clicking "Accept". This is the critical test
4. Add a visible reject button — ensure the cookie banner offers "Accept all" and "Reject all" with equal prominence. No dark patterns (tiny reject link, pre-checked boxes, confusing wording)

After making these changes, run a new Orilyt audit. Test #34 should score 100 (legal pages detected) and test #57 should score 100 (CMP platform detected). If not, the report tells you exactly what is still missing.

GDPR compliance as a business argument

For freelancers and agencies, GDPR compliance findings are among the most compelling in any audit. They combine legal urgency with emotional impact:

In the Orilyt report, tests #34 and #57 generate clear FIA recommendations:

1. Fact: "No privacy policy detected" or "No cookie consent mechanism found"
2. Impact: "The site violates GDPR Article 13 — fines can reach 4% of annual revenue or 20 million euros" or "Third-party trackers are firing without consent — each visit is a potential complaint to the CNIL"
3. Action: "Create a privacy policy page and link it in the footer" or "Install a consent management platform and configure prior blocking of all tracking scripts"

Nothing motivates a client faster than the word "fine". When a prospect sees that their site has no privacy policy and no cookie banner, the conversation shifts from "should we do this?" to "how fast can you fix it?". GDPR compliance audits sell themselves.

Compliance is not a feature — it is a legal obligation

GDPR compliance is not a nice-to-have. It is the law. A missing privacy policy, a non-compliant cookie banner, or tracking scripts firing before consent — each of these can trigger a regulatory investigation. Tests #34 and #57 detect these issues in seconds.

For agencies, GDPR compliance is the easiest add-on service to sell. The audit finds the problem, the report explains the risk in plain language, and the fix takes under an hour. The client understands the urgency without needing a technical explanation.

Run an audit. Check tests #34 and #57. If both score 100, the site has the basics covered. If either scores below 70, there is work to do — and a service to sell.