A data protection authority sends your organization an audit request. Among the questions: "Describe how you monitor and ensure ongoing cookie compliance across your web properties." Can you answer that with documented evidence, or just a vague reference to the consent banner your marketing team installed two years ago?
For Data Protection Officers (DPOs), cookie compliance isn't a one-time checkbox. It's an ongoing monitoring obligation with real accountability requirements. This guide provides a practical framework for building a cookie compliance monitoring program that satisfies GDPR Article 5(2) accountability and actually catches problems before regulators do.
The DPO's Cookie Compliance Responsibilities
Under GDPR Article 39, the DPO's tasks include monitoring compliance with the regulation, advising on Data Protection Impact Assessments (DPIAs), and cooperating with supervisory authorities. Cookies sit squarely within this mandate because they involve personal data processing (via the ePrivacy Directive) and often trigger cross-border data transfers.
Specifically, the DPO should be responsible for:
Policy Oversight
- Ensuring a documented cookie policy exists and is kept current
- Verifying the cookie policy aligns with actual website behavior
- Reviewing and approving new cookies before deployment
- Maintaining a cookie register that maps each cookie to its legal basis and purpose
Technical Verification
- Confirming that the Consent Management Platform (CMP) blocks non-essential cookies until consent is given
- Validating that consent records are stored and retrievable
- Checking that cookie expiry periods are proportionate to their purpose
- Verifying that third-party cookies comply with data processing agreements
Accountability Documentation
- Maintaining evidence of regular compliance checks
- Documenting remediation actions when violations are found
- Keeping audit trails that demonstrate ongoing monitoring
- Preparing materials for potential supervisory authority inquiries
The gap between policy and reality is where most organizations fail. A cookie policy might say "we only set analytics cookies after consent," but the website itself might fire Google Analytics on page load. The DPO's job is to close that gap.
Building a Monitoring Cadence
Effective monitoring requires a structured cadence. Cookie compliance isn't static: new scripts get added, CMP configurations change, plugin updates introduce new cookies, and third-party vendors modify their tracking behavior. A monitoring schedule catches drift before it becomes a violation.
Weekly: Automated Scans
Run automated compliance scans on your primary web properties every week. This is your early warning system.
What to check:
- Pre-consent cookie count (should be zero for non-essential categories)
- New or unrecognized cookies appearing since last scan
- Gretel Score trends (any score drops indicate new issues)
- CMP detection status (verify the consent banner is loading correctly)
Automated scanning is where tools like Gretelfy add the most value. A weekly scan takes seconds and produces a documented record of compliance status. Manual browser checks can't match this for consistency or evidence quality.
Monthly: Detailed Review
Once a month, go deeper than the automated scan results.
What to review:
- Full cookie inventory against your cookie register
- Third-party vendor compliance (are your processors meeting their DPA obligations?)
- Consent rate analytics (unusually high acceptance rates may indicate dark patterns)
- New pages, subdomains, or microsites that may not be covered by the CMP
- Any changes to marketing technology stack
Quarterly: Governance Reporting
Produce a quarterly compliance report for your organization's leadership.
What to include:
- Gretel Score trends across all monitored domains
- Number and severity of violations detected and remediated
- Outstanding issues and their risk assessment
- Upcoming regulatory changes that may affect cookie practices
- Recommendations for CMP configuration or vendor changes
This quarterly report becomes essential documentation for GDPR Article 5(2) accountability. When a DPA asks how you ensure ongoing compliance, you hand them this report.
Annual: Comprehensive Audit
Once a year, conduct a thorough cookie compliance audit that goes beyond automated scanning.
Audit scope:
- Full manual review of CMP configuration and behavior
- Cross-browser testing (CMP behavior can vary between browsers)
- Mobile vs desktop compliance verification
- DPIA review for high-risk processing activities involving cookies
- Vendor risk assessment for all third-party cookie processors
- Review of consent mechanism against current regulatory guidance
For a step-by-step audit methodology, see our cookie compliance audit guide.
Using the Gretel Score as a Compliance KPI
The Gretel Score provides a 0-100 compliance rating based on pre-consent behavior. For DPOs, this score serves as a quantifiable Key Performance Indicator (KPI) that can be tracked over time and reported to leadership.
Setting Score Thresholds
Establish internal thresholds that trigger different responses:
| Gretel Score | Status | DPO Action |
|---|---|---|
| 90-100 | Strong | Document in quarterly report, continue monitoring |
| 70-89 | Needs attention | Investigate violations, create remediation plan within 2 weeks |
| 50-69 | Significant issues | Escalate to IT/marketing, remediate within 1 week |
| Below 50 | Critical | Immediate escalation, emergency remediation, consider suspending affected tracking |
Tracking Score Trends
A single score is a snapshot. Trend data tells the real story. Monitor for:
- Gradual decline: Often indicates configuration drift as new scripts are added without consent gating
- Sudden drop: Usually caused by a CMP misconfiguration, a plugin update, or a new marketing tag deployed without review
- Score divergence across properties: Suggests inconsistent CMP deployment or different teams managing different sites
Score as Board-Level Metric
Privacy-mature organizations report compliance metrics to the board. The Gretel Score translates technical compliance into a number that non-technical stakeholders understand. A board member doesn't need to know what _fbp is, but they understand that the organization's compliance score dropped from 92 to 61 this quarter.
Incident Response for Cookie Violations
When a scan or audit reveals a violation, having a documented incident response procedure ensures consistent, timely remediation.
Step 1: Triage and Classification
Assess the violation's severity and scope:
- Critical: Pre-consent marketing cookies or cross-border data transfers without consent. Affects all visitors. Requires immediate remediation.
- High: Pre-consent analytics cookies or CMP configuration failures. Affects most visitors. Remediate within 24-48 hours.
- Medium: Functional cookies miscategorized as necessary, or consent banner design issues (e.g., no reject button). Remediate within 1 week.
- Low: Excessive cookie expiry periods or missing cookie descriptions. Remediate within 1 month.
Step 2: Root Cause Analysis
Determine how the violation occurred:
- Was a new script added without going through the cookie approval process?
- Did a CMP configuration change introduce a bug?
- Did a third-party vendor update their tracking code?
- Was the consent banner bypassed on certain page templates?
Step 3: Remediation
Fix the immediate issue:
- Block the offending cookie or script behind the consent gate
- Update the CMP configuration
- Remove unauthorized tracking code
- Contact the third-party vendor if their code changed unexpectedly
Step 4: Verification
After remediation, run a fresh scan to confirm the violation is resolved. Don't rely on the team saying "it's fixed." Verify independently.
Step 5: Documentation
Record the entire incident:
- When the violation was detected
- What the violation was and its severity
- Root cause analysis
- Remediation actions taken
- Verification results
- Preventive measures implemented
This documentation serves double duty: it demonstrates accountability under GDPR Article 5(2) and it helps prevent recurrence.
Documentation for GDPR Article 5(2) Accountability
GDPR Article 5(2) states: "The controller shall be responsible for, and be able to demonstrate compliance with" the data protection principles. For cookies, this means you need documented evidence of your compliance efforts.
What to Document
Cookie Register: A living document listing every cookie your website sets, including:
- Cookie name and domain
- Purpose and legal basis
- Category (necessary, functional, analytics, marketing)
- Data processor and DPA reference
- Expiry period and justification
- Date added and last reviewed
Monitoring Records: Evidence of regular compliance checks, including:
- Automated scan results with dates and scores
- Manual audit reports
- Remediation records
- Quarterly governance reports
Consent Records: Proof that valid consent is obtained, including:
- CMP configuration exports showing default-off for non-essential cookies
- Consent log samples demonstrating user opt-in
- Evidence that rejection is as easy as acceptance
Process Documentation: Written procedures covering:
- New cookie approval process
- Monitoring cadence and responsibilities
- Incident response procedures
- Vendor assessment criteria for cookie-related processors
Storage and Retrieval
Store all documentation in a format that's easily retrievable. When a DPA sends an audit questionnaire, you should be able to produce relevant records within days, not weeks. Consider a dedicated compliance folder in your document management system with standardized naming conventions.
Multi-Site Monitoring
Organizations with multiple web properties face amplified complexity. Each site may use different CMPs, different marketing stacks, and different development teams.
Centralized Monitoring Dashboard
Monitor all properties from a single dashboard rather than checking each site individually. Key metrics to track per property:
- Current Gretel Score
- Score trend (7-day, 30-day, 90-day)
- Number of active violations
- Last scan date
- CMP status
Consistent Standards Across Properties
Establish organization-wide cookie compliance standards:
- Approved CMP vendors and configuration templates
- Mandatory cookie categories and classification rules
- Minimum acceptable Gretel Score for all properties
- Required monitoring frequency based on traffic and risk level
Responsibility Matrix
For each property, document:
- Who manages the CMP configuration
- Who approves new cookies and scripts
- Who receives violation alerts
- Who is responsible for remediation
- Escalation path for critical violations
Integrating Cookie Compliance into DPIAs
Data Protection Impact Assessments are required under GDPR Article 35 for processing that is "likely to result in a high risk to the rights and freedoms of natural persons." Cookie-related processing frequently meets this threshold, especially when it involves:
- Large-scale profiling or behavioral tracking
- Systematic monitoring of website visitors
- Cross-border data transfers to third-party advertising networks
- New marketing technology deployments
Cookie-Specific DPIA Elements
When assessing cookie-related processing in a DPIA, address:
Necessity and Proportionality: Is each cookie necessary for its stated purpose? Are expiry periods proportionate? Could the same goal be achieved with less invasive methods?
Risk Assessment: What risks do the cookies pose to data subjects? Consider: cross-site tracking, profiling, data transfers to countries without adequacy decisions, and potential data breaches at third-party processors.
Safeguards: What measures mitigate the identified risks? Document: consent mechanism design, cookie blocking before consent, data minimization measures, and vendor DPAs.
Monitoring: How will ongoing compliance be verified? Reference your monitoring cadence, automated scanning setup, and incident response procedures.
When to Reassess
Trigger a DPIA review when:
- Adding a new analytics or marketing platform
- Changing CMP vendors
- Expanding to new markets (different regulatory requirements)
- A significant Gretel Score drop indicating potential new processing activities
Staying Ahead of Regulatory Changes
Cookie compliance regulation continues to evolve. The DPO must track relevant developments. Key areas to watch in 2026:
- ePrivacy Regulation progress: When it finally replaces the ePrivacy Directive, consent rules may change
- DPA enforcement trends: Which violations are regulators prioritizing? (Spoiler: cookie fines are increasing)
- Browser changes: Third-party cookie deprecation timelines and their impact on tracking
- National implementation differences: Member state variations in cookie law interpretation
Subscribe to your relevant DPA's newsletter, follow EDPB opinions, and review enforcement decisions quarterly. Incorporate regulatory updates into your governance reports.
Building Your Monitoring Program
Here's a checklist to get started:
- Create or update your cookie register
- Set up automated weekly scans on all web properties
- Define Gretel Score thresholds and escalation procedures
- Document your incident response procedure
- Schedule monthly detailed reviews and quarterly governance reports
- Integrate cookie compliance into your DPIA process
- Establish a new-cookie approval workflow
- Assign clear responsibilities for each web property
Start monitoring your organization's cookie compliance. Get your Gretel Score and set up automated weekly scans to catch violations before regulators do. Scan your first domain now.
