Question 1

Are cookies loading before consent?

Accepted Answer

We open a brand-new browser session and load your homepage without touching the cookie banner - exactly what a first-time visitor (and a regulator’s scanner) sees. Every cookie set during this visit is recorded and labelled. If analytics, advertising, or other non-essential cookies show up here, your site is setting cookies before consent - one of the most common GDPR and ePrivacy violations.

Question 2

Is Google Analytics blocked?

Accepted Answer

We check whether Google Analytics (GA4, or the older Universal Analytics) sends any data during this first visit, or after a visitor clicks "Reject All". If GA4 keeps tracking after someone says no, it isn’t respecting their choice - and that’s a compliance problem, even if your traffic numbers look healthy.

Question 3

Is Google Tag Manager firing before consent?

Accepted Answer

We check when your Google Tag Manager container loads, and which tags fire before a visitor has made a choice. GTM itself loading isn’t necessarily a problem - but the marketing and analytics tags inside it should be gated behind a consent trigger, so they only fire once someone clicks Accept.

Question 4

Is Reject All available?

Accepted Answer

We recognize 15+ popular cookie banner tools (CMPs) and look for a genuine, one-click "Reject All" option - not "Accept" with rejection buried behind extra menus. Several EU data protection authorities have already ruled that hiding the reject option behind extra clicks is not valid consent.

Question 5

Is consent stored?

Accepted Answer

After clicking Accept All or Reject All, we move to a second page in the same session and check: does the banner pop up again (it shouldn’t), and do consent signals - including Google Consent Mode v2 and IAB TCF, if your CMP uses them - still reflect the choice that was made?

Question 6

Are marketing cookies blocked?

Accepted Answer

Every cookie we see is sorted into a category - necessary, functional, preference, analytics, advertising, or unknown - and given a risk score. After Reject All, advertising and analytics cookies should disappear completely. If they don’t, your privacy score for that test drops, and you’ll see exactly which cookies are still running.

Question 7

Is the banner GDPR compliant?

Accepted Answer

We look at which cookie banner software (CMP) you’re using, how it presents choices in different languages, whether the Accept and Reject buttons are equally easy to find, and whether any boxes are pre-ticked in your favour. These are the most common reasons a cookie banner fails a GDPR review.

Question 8

Is my site legally safe?

Accepted Answer

No automated tool can promise a legal guarantee - but running the full set of tests (before consent, Accept All, Reject All, plus "Do Not Sell" signals across multiple regions) gives you the same evidence a regulator, auditor, or your own legal team would ask for: what happens before anyone clicks anything, what changes after they choose, and whether your site honours those choices automatically.

Question 9

How is the privacy score calculated?

Accepted Answer

Each cookie gets a risk score based on its category - necessary cookies score lowest, advertising cookies score highest - multiplied by how confident we are in that classification. We average this across all cookies in a scenario, then convert it into a 0-100 privacy score. Your overall score is the average across the core before-consent, Accept All, and Reject All scenarios.

Question 10

Do I need to install anything on my site?

Accepted Answer

No. The scanner is fully external and read-only - it launches a browser, visits your public URL, and observes cookies, network requests, and consent signals. Nothing is installed and no code changes are required to run a scan.

Question 11

How long does a scan take?

Accepted Answer

A single-region scan covering the before-consent, Accept All, and Reject All scenarios typically completes within a couple of minutes, since each scenario runs in its own fresh, isolated browser session.

Question 12

What if my site doesn't show a cookie banner at all?

Accepted Answer

That’s flagged immediately. If no CMP is detected and non-essential cookies are present before consent, your site is very likely non-compliant under GDPR and ePrivacy, since EU visitors must be asked for consent before non-essential cookies are set.

Question 13

Is an automated cookie scanner enough, or do I need a lawyer too?

Accepted Answer

A cookie compliance checker gives you the technical evidence: which cookies fire, when, and whether your banner and consent signals behave correctly - covering most of what a GDPR cookie consent audit needs. For business-specific legal questions, such as how a regulation applies to your industry, pair the scan report with advice from a privacy lawyer or your Data Protection Officer.

Question 14

Can I scan a staging or password-protected site?

Accepted Answer

The free scanner works on publicly accessible URLs. Password-protected staging environments aren’t supported in the free tier; authenticated scanning is part of the paid plans.

Is your website really GDPR compliant?

The questions a GDPR cookie audit asks

What's at risk if your cookie banner gets this wrong

Regulator fines and formal warnings

Restricted Google Ads and Analytics

Skewed marketing data

Lost trust, complaints, and bad press

Who it's for

Agencies & Consultants

Marketing & Privacy Teams

Developers & Marketing Ops

Frequently asked questions

See how the scan works, step by step