Severity: HighOwner: CMP adminTime to fix: 1-2 h
Pre-consent cookies
Fix analytics, marketing, and third-party scripts that activate before the visitor has made a consent choice.
Covers: pre_consent_analytics_cookie, pre_consent_marketing_cookie, pre_consent_tracker
- Re-run the scan in a fresh session and confirm the finding disappears.
- Verify that no non-essential cookies are set before interaction.
Severity: HighOwner: CMP adminTime to fix: 30-90 min
No consent banner
Restore or deploy a first-layer consent banner before any optional tracking or storage begins.
Covers: no_consent_banner, no_consent_banner_cmp_signals
- Clear cookies and re-open the site to confirm the banner appears immediately.
- Reject optional cookies and verify the site remains usable.
Severity: HighOwner: CMP adminTime to fix: 15-60 min
No reject option
Make refusal as easy and visible as acceptance by fixing missing, hidden, or weak Reject actions.
Covers: no_reject_option, reject_suppressed, reject_below_fold
- Verify Reject is visible and clickable above the fold on both desktop and mobile.
- Click Reject and confirm optional tags do not fire.
Severity: HighOwner: DevTime to fix: 1-2 h
Cookie wall
Remove patterns that block access to content until the visitor accepts optional tracking.
Covers: cookie_wall
- Reject optional cookies and confirm content remains visible and usable.
- Confirm only optional processing is disabled, not the page itself.
Severity: MediumOwner: MarketingTime to fix: 30-120 min
Unclassified cookies
Classify unknown cookies, document their purpose, and stop shipping undeclared storage into production.
Covers: unclassified_cookie
- Re-run cookie inventory after categorizing the unknown entries.
- Confirm declarations and CMP category labels match the runtime cookies.
Severity: HighOwner: CMP adminTime to fix: 1-2 h
Google Consent Mode mismatch
Fix cases where Google tags behave as if consent is granted even though runtime consent state says denied.
Covers: consent_mode_mismatch, consent_mode_default_granted, consent_mode_runtime_conflict
- Reject optional consent and confirm that Google analytics or ads requests do not fire.
- Accept consent and confirm requests start only after the consent update.
Severity: HighOwner: DevTime to fix: 1-3 h
Third-party requests before consent
Stop optional vendors from making network calls before a visitor has chosen whether to allow them.
Covers: pre_consent_third_party_request, third_party_data_flow_before_consent
- Confirm that only essential third-party requests remain before consent.
- Accept optional consent and verify optional vendors load only afterward.
Severity: MediumOwner: DevTime to fix: 30-90 min
Google Fonts before consent or external font loading
Self-host fonts and remove remote font calls that leak requests before the visitor has opted in.
Covers: pre_consent_external_font, google_fonts_before_consent
- Reload the page with a clean cache and confirm no Google Fonts requests occur.
- Check multiple templates and breakpoints to ensure no remote font reference remains.
Severity: MediumOwner: DevTime to fix: 30-120 min
Insecure tracking cookies (Secure or SameSite issues)
Harden tracking cookie flags so optional cookies are not shipped with weak browser security defaults.
Covers: tracking_cookie_missing_secure, tracking_cookie_missing_samesite, insecure_tracking_cookie
- Inspect cookies again after deployment and confirm attributes changed as expected.
- Test in Chrome and another major browser to catch cross-browser differences.
Severity: HighOwner: DevTime to fix: 1-3 h
Fingerprinting before consent
Defer or replace scripts that probe browser capabilities before the visitor has made a consent choice.
Covers: pre_consent_fingerprinting_signal, fingerprinting_risk_before_consent
- Confirm fingerprinting-sensitive APIs no longer run before consent.
- Re-test after Accept to ensure optional vendors still work when consent is granted.
Severity: HighOwner: CMP adminTime to fix: 1-2 h
Google Consent Mode not detected
Implement Consent Mode defaults and updates so Google tags receive an explicit consent state instead of running without any signal.
Covers: consent_mode_not_detected, consent_mode_missing
- Verify Consent Mode defaults are present on first load before any optional tags fire.
- Verify Reject keeps Google storage states denied.
Severity: HighOwner: CMP adminTime to fix: 30-90 min
Analytics before consent
Stop analytics tools from loading or setting storage before the visitor has explicitly opted in.
Covers: pre_consent_analytics_cookie, analytics_before_consent
- Confirm analytics requests do not fire before Accept.
- Confirm analytics cookies are absent before consent.
Severity: HighOwner: CMP adminTime to fix: 30-90 min
Marketing cookies before consent
Block ad-tech and remarketing cookies until the visitor has actively accepted marketing processing.
Covers: pre_consent_marketing_cookie, marketing_cookie_before_consent
- Confirm no marketing cookies are set before consent.
- Confirm marketing requests start only after Accept.
Severity: HighOwner: MarketingTime to fix: 30-60 min
Meta Pixel before consent
Prevent Meta Pixel from loading or sending events before the visitor has opted in to marketing tracking.
Covers: meta_pixel_before_consent, pre_consent_meta_pixel
- Confirm no Meta requests are sent before consent.
- Confirm `_fbp` or related identifiers are absent before opt-in.
Severity: HighOwner: CMP adminTime to fix: 30-60 min
GA4 before consent
Stop GA4 from initializing, setting cookies, or sending page-view traffic before analytics consent is granted.
Covers: ga4_before_consent, pre_consent_ga4
- Confirm no GA4 requests are sent before consent.
- Confirm `_ga` cookies do not appear pre-consent.
Severity: HighOwner: DevTime to fix: 1-2 h
GTM tags firing before consent
Audit and gate GTM triggers so optional tags do not fire on page load before a valid consent state exists.
Covers: gtm_tags_before_consent, pre_consent_gtm_fire
- In preview mode, confirm optional GTM tags do not fire pre-consent.
- Confirm only essential tags remain on first load.
Severity: HighOwner: CMP adminTime to fix: 15-45 min
Reject button only in second layer
Expose Reject on the first layer instead of forcing users into extra clicks or preference screens to refuse optional processing.
Covers: reject_in_second_layer, reject_not_first_layer
- Confirm Reject is present in the first layer on desktop and mobile.
- Confirm rejecting from the first layer prevents optional tags from firing.
Severity: HighOwner: DevTime to fix: 30-90 min
Consent banner not showing on mobile
Fix viewport, CSS, and lazy-load issues that make the consent banner disappear or fail to render on mobile devices.
Covers: mobile_banner_missing, consent_banner_mobile
- Confirm the banner appears on a real mobile device.
- Confirm users can Accept and Reject on mobile.
Severity: MediumOwner: DevTime to fix: 30-90 min
Consent state not persisted
Fix consent storage and reload behavior so the visitor’s choice is remembered and enforced across pages and sessions.
Covers: consent_not_persisted, consent_state_lost
- Confirm the same choice persists after reload and cross-page navigation.
- Confirm Reject remains denied after revisit.
Severity: HighOwner: DevTime to fix: 1-2 h
Third-party embeds before consent
Delay YouTube, maps, chat, booking, and other third-party embeds until the visitor has opted in or explicitly chosen to load them.
Covers: pre_consent_embed, third_party_embed_before_consent
- Confirm embed vendors do not receive requests on first load.
- Confirm the embed loads only after opt-in or click-to-load interaction.
Severity: HighOwner: MarketingTime to fix: 15-45 min
Hotjar before consent
Stop Hotjar from loading session replay or heatmap scripts before the visitor has granted analytics or marketing consent.
Covers: hotjar_before_consent, pre_consent_hotjar
- Confirm Hotjar does not load before consent.
- Confirm Hotjar cookies are absent pre-consent.
Severity: MediumOwner: MarketingTime to fix: 30-120 min
Cookie declaration out of date
Align your published cookie declaration with the cookies and vendors actually observed in runtime evidence.
Covers: cookie_declaration_outdated, declaration_mismatch
- Confirm every observed cookie is reflected in the declaration.
- Confirm removed vendors are no longer listed if they no longer run.
Severity: HighOwner: DevTime to fix: 1-2 h
Cookies still set after Reject
Fix flows where optional cookies or requests continue after the visitor explicitly rejects tracking.
Covers: cookies_after_reject, reject_not_enforced
- Reject and reload: confirm optional cookies remain absent.
- Reject and reload: confirm optional requests stay blocked.
Severity: MediumOwner: DevTime to fix: 30-90 min
Consent banner blocked by CSP
Update Content Security Policy so the CMP script, styles, or iframe resources can load without opening broader security gaps.
Covers: cmp_blocked_by_csp, consent_banner_csp_error
- Confirm CSP errors for CMP assets disappear.
- Confirm the banner renders and accepts user input normally.
Severity: HighOwner: DevTime to fix: 1-3 h
Server-side GTM consent issues
Align server-side GTM routing and consent propagation so server-side tagging does not bypass the visitor’s consent state.
Covers: ssgtm_consent_issue, server_side_gtm_before_consent
- Confirm no optional events are proxied to server-side GTM before consent.
- Confirm Accept enables the intended event flow and Reject keeps it denied.