Back to overview
Cookie BannerAgenciesChecklist

Cookie Banner Checklist for Web Agencies: 20 Points Before Every Client Launch

Launch days are stress days — and that is exactly when data protection gets dropped. 20 checks for web agencies before every client launch: from banner obligation to script blocking to a clean handover to the client.

Aiara Team··9 min read
Cookie Banner Checklist for Web Agencies: 20 Points Before Every Client Launch

The launch day of a client website is rarely relaxed: DNS switched, final content entered, the client waiting for the go-live email. It is precisely in this rush that data protection gets dropped most often — the cookie banner is still running with the staging configuration, the privacy policy comes from the last project, and the Google Maps iframe happily loads before any consent.

Legally, the website operator — your client — is responsible for compliance. But let's be honest: the client commissioned the website from you precisely because they do not want to deal with these things. If the agency delivers a non-compliant website, it does not face direct fines — but it does face contractual liability questions under the works contract, awkward conversations and reputational damage that costs more than any checklist. So here they are: 20 points to tick off before every client launch — split into four blocks: legal, technical, organisational and handover.

A note on usage: the checklist works best as a fixed part of your launch process — as a template in your project management tool, copied for every client project. Working through it ad hoc from memory means, in our experience, forgetting exactly the points that cause trouble later.

Block 1 — Legal Foundations (Points 1 to 6)

These six points belong in the project phase, not in launch week. Whoever checks them last discovers gaps at the worst possible moment.

1. Banner obligation verified. Not every website needs a consent banner: if the site only sets technically necessary cookies, a transparent note in the privacy policy is enough in Switzerland. As soon as statistics or marketing tools run, there is no way around a banner. You will find the decision logic with all cases on our overview page on the cookie banner obligation — a superfluous banner annoys visitors, a missing one is a violation.

2. Privacy policy up to date — and in the client's name. The classic copy-paste mistake: the privacy policy still names the agency as controller — or even the client from the previous project. The policy must name the actual operator and reflect the tools actually in use. Access requests are directed at the controller named there; if the wrong one is listed, the document is worthless.

3. Legal notice correct and complete. Company name, legal form, registered address, contact option — the Federal Act against Unfair Competition requires clear provider identification for online offerings. It is the most easily checked point of the entire website: competitors and consumer advocates spot an error at a glance. What exactly belongs in it is covered in our article on the legal notice obligation in Switzerland.

4. All target-audience languages covered. A bilingual website, but legal texts only in German? Consent must be informed — whoever cannot understand the text cannot validly consent. Banner and privacy policy belong in every language version of the website; in French-speaking Switzerland and Ticino this is not a nice-to-have but a basic requirement.

5. GDPR applicability checked. «Swiss company» does not mean «Swiss law only». Under the marketplace principle, the European General Data Protection Regulation also applies as soon as the offering visibly targets people in the EU — shipping to Germany, euro prices, targeted advertising. What that means in practice is explained in our GDPR guide; for the banner it means above all: stricter consent requirements.

6. Data processing agreements concluded. Hosting, newsletter tool, cookie consent provider — they all process personal data on the client's behalf, and that requires contracts. Important: the contracting party is the client as controller, not the agency. When a data processing agreement is mandatory and what belongs in it is covered in our article on data processing agreements.

Block 2 — Technology (Points 7 to 13)

This is where it is decided whether the banner actually does something or is mere decoration. All seven points can be tested in under an hour.

7. Script blocking before consent tested. Load the page in a private window, open the developer tools, watch the Network tab — and click nothing. If requests go out to Google Analytics, Meta or other trackers, scripts are loading before consent and the banner is ineffective. This test takes five minutes and uncovers the most serious mistake of all.

8. Google Consent Mode V2 active. Anyone using Google Analytics or Google Ads for audiences in the European Economic Area cannot avoid Consent Mode V2 — without correct consent signals, Google restricts advertising features such as remarketing. Check whether the banner actually passes the signals on. The setup is explained in our article on Google Consent Mode V2 in Switzerland.

9. iframes blocked — with placeholder. Google Maps, YouTube and Vimeo set cookies as soon as the iframe loads — before anyone has consented. The correct approach: the iframe is blocked and replaced by a placeholder with «Activate content» that only loads the content after a click. Specifically test the pages with maps and videos; that is where most slips happen.

10. Banner in all website languages. Point 4 also applies technically: the banner must follow the language of the respective page. A German banner on the French page version undermines informed consent — and simply looks unfinished to visitors.

11. Mobile display tested. On real devices, not just in the device emulation of the developer tools. Around 60 percent of Swiss website visits come from smartphones; a banner that pushes the decline button below the visible area or cannot be dismissed obstructs the free choice of the majority of your visitors.

12. «Decline» equivalent to «Accept». The Federal Data Protection and Information Commissioner requires equivalent choices in his guidance: same size, same contrast, same level. A grey decline text link next to a bright accept button counts as a dark pattern — and is the mistake that stands out first in any review. The worry about falling acceptance rates is usually unfounded, by the way: fair banners build trust, and trust pays into the client's brand.

13. Cookie scan after launch. The live environment almost always differs from staging: different domain, additional services, caching, real advertising tags. Scan the live site right after launch and compare the result with the banner configuration — with our website scanner this takes just a few minutes.

Block 3 — Organisation (Points 14 to 17)

The launch is not an endpoint but the start of operations. These four points prevent a website that is compliant today from silently drifting out of compliance within six months.

14. Consent log active. The burden of proof for consent lies with the controller. Without a log containing timestamp, pseudonymous identifier and selected categories, not a single consent can be proven in a dispute — whoever documents nothing stands there as if they never asked. Before handover, check that the log is actually writing entries.

15. Responsibility clarified in writing. The client is the controller; the agency, depending on the setup, a processor. Record in the project contract who maintains the legal texts, who responds to data subject requests and who looks after the banner. Unclear responsibilities fall back on the agency in case of doubt — which is exactly what you want to exclude contractually.

16. Process for new tools and pixels defined. Three months after launch, the client's marketing team asks for a new conversion pixel — and nobody thinks of the banner. So agree on a fixed procedure: every new tool goes through the steps of assigning a banner category, updating the privacy policy and reviewing the contract with the provider. Without a process, the finest launch compliance is history within a quarter.

17. Re-scan rhythm set. Websites change gradually: plugin updates bring new cookies, services change their domains. An automatic scan every quarter — better monthly — uncovers deviations between reality and banner configuration before a client, a competitor or an authority does.

Block 4 — Handover (Points 18 to 20)

The best configuration is of little use if the client does not understand it. The last three points turn a project completion into a clean handover.

18. The client knows their dashboard. At handover, show where consent statistics, banner settings and scan reports can be found — half an hour is enough. A client who understands their own consent setup does not call the agency about every little thing and notices for themselves when something is off.

19. Maintenance process for legal texts agreed. A new product, a new newsletter provider, suddenly an online shop — every business change can affect the privacy policy. Clarify explicitly: does the client report changes to the agency, or do they maintain the texts themselves via a generator? Both work; only the unresolved variant does not.

20. Documentation handed over. Which tools are integrated, which cookie categories configured, which contracts concluded, who has access to what. It sounds like busywork, but it saves hours with every access request, every relaunch and every staff change. And in a dispute, the documentation proves that the agency worked cleanly — it is your own protection too.

For Agencies with Many Clients

For a single website, this checklist takes one to two hours. For thirty client websites, it becomes a process problem — nobody checks 600 points by hand, and certainly not every quarter. That is exactly what Aiara is built for: a central dashboard for all client domains, automatic scans with notifications on deviations, generated and maintained legal texts per client, and built-in consent logs. Agencies receive partner terms with discount tiers and consolidated invoicing — you will find the details at Aiara for agencies.

Frequently Asked Questions

Is the web agency liable if the client's cookie banner is not compliant?

Towards the authorities, the website operator is liable — they are the controller within the meaning of the Data Protection Act. The agency, however, can be liable under contract: whoever delivers a website as a work owes a defect-free work, and depending on the agreement that includes the promised legal compliance. Add to that the reputational damage when a client receives mail from the Federal Data Protection and Information Commissioner because of a freshly delivered website.

Does every client website need a cookie banner?

No. If a website only sets technically necessary cookies, a transparent privacy policy is sufficient in Switzerland. As soon as statistics, comfort or marketing cookies are set — which is the case for most business websites — a genuine consent solution is required. And if the offering also targets people in the EU, there is no way around a banner anyway.

How do I test whether scripts are blocked before consent?

Open the website in a private window, start the developer tools, select the Network tab, reload the page — and click nothing. If requests to google-analytics.com, facebook.com or other tracking domains appear, something is loading before consent. It is also worth checking Application → Cookies to see which cookies have already been set without any interaction.

How often should agencies re-scan client websites?

At least quarterly, better monthly — and additionally after every major update, plugin change or newly integrated marketing tool. Websites change gradually: a plugin update brings a new cookie, marketing adds a pixel, and suddenly the banner configuration no longer matches reality.

What does Aiara offer web agencies in concrete terms?

A central dashboard for all client domains, automatic cookie scans with notifications on deviations, generated legal texts in four languages, built-in consent logs and a partner programme with discount tiers and consolidated invoicing. This lets you automate most points of this checklist instead of ticking them off by hand for each client.

Ready for clean cookie consent?

Aiara handles cookie banners, privacy policies and legal notices for your website — FADP and GDPR compliant.

Discover Aiara