How to vibecode a compliant cookie banner (without fooling yourself)

TL;DR: You can ship a small first-party consent module fast (AI helps). The part that actually holds up under scrutiny is whether non-essential requests and scripts stay dead until valid consent in a real browser. Treat a runtime audit like CI for privacy: red → fix load order / injectors → re-scan. Skipping a heavy CMP does not mean skipping proof after every deploy.

Scope: EU/EEA GDPR and ePrivacy (cookies / similar tech on websites). This is educational, not legal advice — get counsel for your setup.

Why “we installed a banner” is not the same as “we’re fine”

Commercial CMPs are the right choice for lots of teams. The failure mode for builders is different: the CMP becomes a black box. Marketing edits tags, A/B tests swap snippets, preview ≠ production. Without a runtime check you find out from a complaint, not from your pipeline.

What you want instead is evidence-first consent: “done” means you can point to reproducible proof that non-essential tags did not initialise or send data before consent — not only that a banner rendered.

The loop: code → scan staging → read findings → refactor → re-scan

Same rhythm as TDD, except the “test” is a browser execution trace:

1. Freeze the surface — same staging URL, clean profile, same consent variant you ship.

2. Run a runtime audit — isolated browser, see what fires before accept/reject.

3. Pick one hypothesis — e.g. “Meta endpoints should not appear before accept.”

4. Change one thing — usually load order and when GTM / marketing bootstraps, not cosmetic banner CSS.

5. Re-scan — until the checks you care about pass; repeat when marketing ships again.

Technically: Default deny (do not load the tag hub until your gate runs) is often easier to reason about than “load GTM and hope it waits internally.”

Lightweight patterns (details and caveats on the blog): keep third-party scripts inert (type="text/plain" until flip), one owner module for consent branches, optional MutationObserver as defence in depth — but the audit is still the referee; observers miss plenty.

What AI is good for (and what it is not)

LLMs are great for boilerplate structure, naming, and refactoring if you paste ground truth into the thread: failing network evidence, the exact injector, your consent state machine. If the model is arguing from vibes instead of a trace, you are one deploy away from theatre.

The boring parts you still own

A custom gate can be more inspectable than a hosted script — if you close gaps: consent logging (Art. 7 is not satisfied by localStorage alone), withdrawal UX, granularity that maps to real load branches, geo / TCF if you play in ads, vendor registry if you dropped the CMP crawler, transfers (Chapter V) even when execution looks clean.

Full honest checklist + comparison dimensions + LLM paste bundles:
https://securespells.com/blog/test-driven-privacy-custom-consent-layer/

Limited launch (SecureSpells)

We’re running a small launch window: first 30 Stripe checkout redemptions get Pro plan with will audits at €29 for the first month (then renews at list price — always confirm in Stripe, incl. VAT). That tier includes ongoing monitoring plus the runtime evidence story above — i.e. not “a cheaper banner,” but verification + regression signal after you ship.

Start here: https://securespells.com/launch
If the offer is exhausted or past the campaign end date, the page should reflect that — don’t rely on this article alone.