COOKIE & CONSENT COMPLIANCE SCANNER

Your cookie banner might be lying to you.

Most banners don't actually block anything — GA4, Meta Pixel, and ad tags fire before the visitor ever clicks. That's the exact behavior GDPR fines and US wiretapping lawsuits target. Find out in 30 seconds whether your site does it.

No signup. One free scan shows your grade and what we found — fixes unlock for $19.

Regulators check exactly this

European DPAs run automated pre-consent scans just like this one, and cookie consent has been the basis of fines against companies of every size — not just Google and Meta. In the US, plaintiffs' firms file wiretapping-style claims over session replay and pixels running without consent.

Google now requires Consent Mode v2

Since March 2024, missing v2 signals (ad_user_data, ad_personalization) breaks remarketing audiences and degrades conversion measurement for EEA/UK traffic. Non-compliance doesn't just risk fines anymore — it quietly damages your ad performance.

Banners break silently

A GTM publish, a new marketing pixel, a theme update — any of them can put a tag outside your consent gating, and nothing on the page looks different. The only way to know is to re-test, which nobody does manually.

What the scan checks

A real headless Chrome loads your page as a first-time visitor — empty cookie jar, no consent clicked — and records everything that happens before a choice is made.

Trackers firing pre-consent

Every network request is matched against 25+ signatures: GA4, Meta Pixel, Google Ads, TikTok, LinkedIn, Hotjar, Clarity, and more. Anything that fires before consent gets flagged with the exact request URL as evidence.

Whether your banner actually blocks

We detect 18 CMPs (OneTrust, Cookiebot, Didomi, Usercentrics…) plus custom banners — then check whether tags respected it. A banner that renders while pixels fire behind it is the most common failure we see.

Google Consent Mode v2

We inspect your dataLayer for gtag("consent","default",…) — is it present, does it fire before GTM, does it include the v2 signals, and does it actually default to denied.

Cookies set before consent

Third-party cookies and known tracking identifiers (_ga, _fbp, _gcl_au, _ttp…) present before any interaction, classified and attributed to their source.

WHO BUILT THIS

ConsentCheck is built by a developer who implements this stack for a living — OneTrust rollouts, GTM Consent Mode v2 remediation, and GA4 debugging on production marketing sites. The fixes in every report aren't generic advice; they're the same steps used to remediate real audits, down to the OneTrust category classes and the GTM consent triggers.

This is a diagnostic tool, not legal advice — it finds the technical problems your lawyer and your ad platforms care about.

Pricing

Free scan

$0

  • Your compliance grade (A–F)
  • Issue count and categories
  • What's passing

Full report

$19 one-time

  • Every issue with evidence (URLs, cookies, dataLayer state)
  • Specific fixes: GTM consent settings, CMP config, Consent Mode snippets
  • PDF export — hand it to your dev or agency

RECOMMENDED

Monitoring

$29 /month per site

  • Everything in the full report
  • Automatic re-scan every week
  • Email alert when compliance changes — new tracker, broken banner, grade drop
  • Cancel anytime

For agencies: one subscription per client site makes compliance a line item you can resell.

Run a free scan first — pricing options appear on your report.

FAQ

Is this legal advice?
No. It's a technical audit of what your site actually does before consent — the factual layer that legal review, DPA scans, and ad-platform requirements all sit on top of. Fixing what we flag removes the most commonly enforced technical violations, but it doesn't replace a privacy policy review.
My banner only shows for EU visitors — will the scan see it?
Scans run from US infrastructure, so a strictly geo-gated banner may not render. The report says so explicitly when banner detection comes up empty, and the tracker and Consent Mode findings remain valid either way — Consent Mode defaults should be present in the page source regardless of visitor location.
Can you scan pages behind a login?
Not in v1. The scan covers the URL you enter as an anonymous first-time visitor, which is also the visit that matters most for consent compliance.
What does monitoring actually alert on?
Grade changes, new trackers firing pre-consent, and trackers that were resolved. Weekly cadence, only meaningful changes — if nothing changed you get a two-line all-clear so you know it ran.