GDPR Cookie Consent: How to Prove Your Banner Was Actually Compliant

You've set up your Consent Management Platform. You've configured the categories, the toggle switches, the reject button. Your CMP dashboard shows a green checkmark. Congratulations — you're compliant right now. But were you compliant on February 14th? On December 3rd? On the day a user filed a complaint with the CNIL?

Here's the gap that catches companies off guard: CMPs manage your consent implementation in real time. They don't create a historical, verifiable archive of what your cookie banner actually displayed to visitors on specific dates. Software updates change banner behavior. Configuration changes alter the wording. A developer deploys a new version that accidentally breaks the reject button for three days. Without screenshots, you have no evidence of what users actually saw.

Data Protection Authorities don't audit your CMP dashboard. They audit what visitors experienced on your website. Those are two different things, and the difference matters when fines are on the table.

When a DPA investigates cookie consent compliance — triggered by a complaint, a sweep, or a routine audit — they request evidence of what was displayed. Not your CMP configuration. Not your internal policy documents. The actual user experience.

The CNIL in France has been particularly aggressive here. Their cookie consent sweeps examine whether the reject option was as prominent as the accept option, whether pre-ticked boxes were used, and whether consent was required before non-essential cookies fired. They look at specific dates because complaints reference specific dates.

VaultShot captures your website — including the cookie banner — as visitors see it. The screenshot shows exactly how the banner rendered: where the buttons were, what the text said, whether the reject option was visible without scrolling. Combined with the SHA-256 hash and timestamp, it creates the evidence trail that DPAs expect to see.

The CJEU's Planet49 ruling established that pre-ticked consent boxes are invalid under GDPR. The EDPB's guidelines went further: consent must be freely given, specific, informed, and unambiguous. Cookie walls — forcing users to accept cookies to access content — are generally non-compliant.

These requirements apply continuously, not just at implementation. If your CMP provider pushes an update that introduces a dark pattern — say, making the 'Accept All' button green and prominent while hiding 'Reject All' in gray text — your cookie consent is no longer valid from that moment forward.

Companies that discover this after a DPA investigation have a problem: they can't prove when the non-compliant behavior started. With daily website captures, you can pinpoint exactly when the banner changed and demonstrate that you corrected it promptly. That context matters enormously in enforcement decisions.

The practical approach is straightforward: capture your website daily (or more frequently if you make regular changes), and ensure the capture includes the cookie banner as it renders to first-time visitors. VaultShot does this automatically — since we capture the page in a clean browser session, the cookie banner appears exactly as a new visitor would see it.

Over time, you build a chronological archive of your cookie consent implementation. Every version is timestamped and hashed. If a DPA asks what your banner looked like on any given date, you pull the certificate from that date and send it over. Investigation resolved with evidence instead of speculation.

At $19/month, it's cheaper than the coffee your compliance team drinks while trying to reconstruct cookie consent history from CMP logs.