LET'S TALK
← All work
IAB TCF v2.2IAB GPPePrivacy 2002/58/ECCCPA §1798.135CPRADeep Prototype

CookieConsent — TCF v2.2 + GPP Signal Validator

12 properties across 4 jurisdictions (EU, US-CA, US-VA, multi-state). Validates IAB TCF v2.2 + GPP MSPS strings, 8 banner checks (reject-all on layer 1, balanced buttons, scroll ≠ consent, cookie-table accuracy, no dark patterns, no non-essential cookies pre-consent). Surfaces the €60M CNIL pattern (reject buried in settings) and the beta domain with NO BANNER firing GA4 + Hotjar.

CookieConsent — TCF v2.2 + GPP Signal Validator preview
Open live →

What it is

The shape behind every CMP (OneTrust, Cookiebot, Didomi, Sourcepoint) — but pointed at the gap regulators actually fine. Decode the consent string, check 8 banner-UX rules, validate the cookie table against what is actually loading.

What’s in it

  • 12 properties across EU, US-CA, US-VA, multi-state.
  • 8 validation checks per property:
    1. Banner present (ePrivacy Art 5(3) / §1798.135)
    2. TCF v2.2 (EU) or GPP MSPS (US) signal present
    3. Reject-all on layer 1 (€60M CNIL fine pattern)
    4. Balanced accept/reject buttons (EDPB 03/2022)
    5. Scroll ≠ consent (CNIL 2020 ruling)
    6. Cookie table matches scripts actually loaded
    7. No dark-pattern UX
    8. No non-essential cookies pre-consent
  • Worst-offender findings:
    • marketing.example.com — no reject-all, scroll-acceptance, cookie-table mismatch, dark patterns
    • press.example.com — reject button buried in 3rd-layer settings panel (literal CNIL €60M pattern)
    • beta.example.com — NO BANNER deployed; GA4 + Hotjar firing without consent (ePrivacy violation)
    • partners.example.com — banner correct, but cookie table missing the new ad-tech vendor (silent drift)
  • TCF v2.2 string decoder + GPP MSPS section decoder — shows purposes 1-11, special features 1-2, and the multi-state opt-out booleans.
  • Per-property regulatory citations — IAB TCF v2.2, IAB GPP v1.1, ePrivacy 2002/58/EC Art 5(3), GDPR Recital 32, CCPA §1798.135, CPRA §1798.140, EDPB 03/2022 on deceptive patterns.

Why this shape

CMPs ship banners. Regulators fine for banner-UX, not for the cert. The €60M Facebook/Google CNIL fine (2021), the €150M Google fine (same year), the Sephora fine ($1.2M, 2022) — every one came from the gap between the banner UX and the consent string. CookieConsent prototypes the layer that catches it.

How it ships

Single HTML file, ~20KB. Zero dependencies. 12 properties × 8 checks × decoded TCF/GPP in 200 lines of vanilla JavaScript.

Open the tool →