Consent Compliance Audit

https://example.com · 2026-05-19 05:13:11 UTC · S3 — Definitive (Privacy Logic Enforcement Test)

No Consent Violations Detected

0 confirmed violations · 1 vendor analyzed · s3_fresh_load_optout_preset

Executive Summary

No confirmed consent violations were detected at https://example.com under the s3_fresh_load_optout_preset methodology.

GPC Signal Test Inconclusive

Sec-GPC: 1 header sent on all requests

YES

navigator.globalPrivacyControl = true

YES

Site honored GPC signal

Inconclusive

Baseline pixel firings (S3 opt-out)

Pixel firings under GPC

Under CCPA/CPRA, GPC is a legally binding opt-out signal. California's CPPA has stated GPC non-compliance is enforceable without prior notice.

GCS Signal

None

No consent mode detected

GTM Container

Not detected

none

CMP Interaction

Cookie injection (OneTrust)

Jurisdiction

United States (CCPA / State Laws)

auto-detected

Server-Side GTM

Not detected

—

GPC Tested

Yes

Sec-GPC: 1 header

Vendor Tracking Findings

Vendor	Signal / Cookie	Category	Legal Risk	Status	Observation
OneTrust	OptanonConsent, OptanonAlertBoxClosed	Functional	Unknown	Passed	—

Open Gaps requires manual follow-up

OneTrust cookies (OptanonConsent) were observed but the OneTrust JS API was not detected during the scan window. The CMP is likely loading asynchronously past the networkidle threshold. Manually verify by inspecting window.OneTrust in browser DevTools, then consider re-scanning with a longer wait.

Regulatory Basis

Consent Mode — Reporting Impact and Business Case

Why Compliance ≠ Data Destruction

The compliance argument and the commercial argument for proper Consent Mode implementation are aligned, not in tension:
- Without proper consent signals: advertising data is both legally questionable AND commercially degraded
- Properly implemented Consent Mode V2 satisfies GDPR requirements AND preserves advertising performance
- An audit finding of "CMP present but Consent Mode not implemented" is simultaneously a legal risk AND a business performance problem

Conversion Data Loss Estimates

Sites that implement consent banners WITHOUT Consent Mode V2:
- EU/UK sites: 30–50% of conversions go unattributed
- Sites with cookie walls: up to 60% unattributed in opt-in jurisdictions
- Advanced Consent Mode with modeling: recovers approximately 65–80% of lost conversions
- Basic Consent Mode: no recovery — conversions simply absent from reports

Google Consent Mode V2 — Technical Reference

What It Does

Consent Mode is a signaling system between a CMP and Google tags (GA4, Google Ads). When consent is denied, tags adjust behavior:
- Basic Mode: Tags are completely blocked — no data reaches Google
- Advanced Mode: Tags fire but send cookieless "pings" for behavioral modeling

Mandatory for EEA/UK advertisers using audience features or remarketing since March 2024.

GCS Parameter (Network Evidence)

The gcs= URL parameter in Google Analytics and DoubleClick requests encodes consent state.
Format: G1AB where A = ad_storage, B = analytics_storage. 0 = denied, 1 = granted, - = unset.

GCS Value	ad_storage	analytics_storage	Meaning
`G111`	granted	granted	All consent granted (or Consent Mode not configured)
`G100`	denied	denied	Full opt-out — ACM cookieless pings only
`G101`	denied	granted	Partial opt-out — ad tracking denied, analytics still active
`G110`	granted	denied	Partial opt-out — analytics denied, ad tracking still active
`G1--`	unset	unset	Consent Mode present but signals not yet set (timing/race condition)
No gcs=	n/a	n/a	Basic Consent Mode (tag blocked entirely) or no Consent Mode

Key audit signals for S3 opt-out tests:
- G100 = ACM correctly implemented — cookieless pings only, correct response to opt-out
- G101 = Partial CCPA compliance — ad_storage denied but analytics_storage still granted. Under CCPA, "Do Not Sell" must cover analytics profiling, not just ad delivery. This is a compliance gap.
- G110 = Partial compliance (inverse — rare in practice)
- G111 in S3 test = CMP integration failure — opt-out not propagating to Consent Mode at all

Key audit signal: If gcs=G100 appears in network requests → the tag FIRED despite denied consent. This is Advanced Consent Mode — the tag is not blocked, it sends a cookieless ping.

Manual Validation Checklist

Reproduce each finding in a browser to confirm audit accuracy. All steps assume incognito mode with a California VPN or geolocation override.

1. CMP Banner Presence

Check: Verify consent banner appears for California visitors.

Steps: Open an incognito window. Use a VPN set to Los Angeles, CA (or Chrome DevTools > Sensors > Location: Los Angeles). Navigate to the site. The consent banner should appear on first visit.

Expected: Banner appears with Reject/Deny option. Our scan detected consent banner via cookie injection.Our scan did NOT see a visible banner. The CMP may be IP-gated to specific regions.

2. GPC Signal (Sec-GPC: 1)

Check: Verify the site respects the Global Privacy Control signal.

Steps: Install a GPC browser extension (e.g., OptMeowt or Privacy Badger with GPC enabled). Navigate to the site. Check: (1) Does the CMP auto-set to opt-out? (2) In DevTools > Network, do request headers include 'Sec-GPC: 1'? (3) Does navigator.globalPrivacyControl return true in Console?

Expected: Under CCPA/CPRA, GPC is a legally binding opt-out signal. The CMP should auto-deny consent when GPC is detected. California's CPPA has stated GPC non-compliance is enforceable without prior notice.

Next step

Want help turning these findings into a remediation plan?

Reach out to walk the findings with Kenneth.

Get in Touch →