Missing cookie consent banner for GDPR
GDPR requires explicit consent before setting non-essential cookies (analytics, advertising, A/B testing) for users in the EU. A cookie banner is the standard way to capture that consent, and most analytics and ad platforms will refuse to fire without one.
#What goes wrong
Many vibe-coded apps skip the banner entirely, or use a fake one that does nothing more than show a notice. A real consent flow has to actually block the cookies until the user agrees, and offer a way to decline or change preferences later.
#Why it matters
GDPR fines start at four percent of global revenue. Beyond regulatory risk, Google Ads, Meta Ads, and many analytics platforms now require a compliant consent string before they will record any EU traffic. Skip the banner and you lose attribution for a large chunk of your users.
#How Heimdall checks for this
Heimdall looks for a cookie consent component or library in your codebase, including the common ones like CookieYes, Cookiebot, iubenda, and Termly, plus custom implementations. It also checks whether the consent state actually gates the analytics initialization.
#How to fix it
Add a consent management tool that supports the IAB TCF v2 standard. CookieYes and Cookiebot are easy to set up. Configure your analytics to wait for consent before initializing, not just before sending events. Provide a 'manage cookies' link in your footer so users can change their mind later.
Frequently asked questions
Do I need a banner if I have no EU users?
What about CCPA in California?
Can I just default to 'accepted' if the user does nothing?
Run this check on your own repo
Heimdall scans your GitHub repo for this and 16 other issues in under a minute.