Audit GDPR High

GDPR Compliance Technical Audit

Your cookie banner says one thing. Your events do another. We test every data flow leaving your site across your Martech stack and document exactly where your tracking violates GDPR.

12-15 hours

Is a cookie banner enough?

Most websites have a cookie banner. but the key thing is to synchronize that banner with the rest of your tracking.

We've audited hundreds of tracking setups across Google Tag Manager, Tealium iQ, Adobe Experience Platform, and custom implementations. Even though the violations are different, they all boil down to

Tags firing before consent is given
Cookies being set regardless of user choice
Data being sent to third parties without proper consent signals
Event tracking still present on consent denied

The gap between what your new analytics or marketing vendor claims and what your tags actually do is where GDPR fines live.

We close that gap. Platform-agnostic, vendor-neutral, focused entirely on what your website actually sends and the cookies it sets.

How We Audit

Consent Banner Behavior Testing

We test your CMP across all consent states full accept, full reject, partial consent, no interaction. We verify that consent signals are actually communicated to your events, not just displayed in the UI.

Network Request Interception

Every tracking outbound HTTP request is captured and categorized. We identify which third-party domains receive data, what data is sent, and whether it happens before or after consent is granted. No request escapes the audit.

Cookie & Storage Analysis

We catalog every cookie, localStorage entry, and sessionStorage item set by your site. Each is classified by purpose, duration, and whether it's set before or after consent. Depending on the needs, We test across browsers, Chrome, Firefox, Safari, and Edge because consent behavior may differ.

Tag-Level Compliance Mapping

Inside your tag management system, whether that's GTM, Tealium, Adobe Launch, Piwik Pro, Matomo, Segment, or custom we verify each tag respects consent categories. We check trigger conditions, consent-aware configurations, and built-in consent checks.

Consent Mode v2 Validation

For Google tags, we verify Consent Mode v2 is correctly implemented. We test default states, update commands, ad_storage, ad_user_data, ad_personalization, and analytics_storage parameters. We test both Basic and Advanced mode behavior.

Report & Remediation Plan

You get a full technical report with every violation documented screenshot, network evidence, and the exact fixes you (or we) can apply immediately.

What Makes This Different

Platform-agnostic. GTM, Tealium, Adobe Launch, Matomo, Piwik Pro we audit any tag management system, not just Google's ecosystem.

Network-level evidence. We don't just review tag configurations. We intercept actual HTTP requests to prove what data leaves your domain and when.

CMP-neutral. Cookiebot, OneTrust, CookieYes, Complianz, Usercentrics we've tested a lot of them and even though big similarities apply, the core logic of each CMP is the same.

Actionable, not theoretical. Every finding comes with the exact technical fix no vague "you should improve your consent handling" recommendations.

Continuous validation available. After fixes, we offer a free month of AssertionHub that you can setup to automatically monitor compliance for you.

Deliverables

Compliance Report Every violation with screenshot evidence, how to replicate, network proof, and severity classification
Cookie & Storage Inventory Complete catalog classified by purpose, consent category, and compliance status
Consent Mode v2 Status Report Validation of Google Consent Mode parameters across all consent states
Remediation Plan Step-by-step fixes ordered by severity. Or if you prefer, we can implement them for you.
Executive Summary Non-technical overview for stakeholders, DPOs, and legal teams

Frequently Asked Questions

Is this a legal audit?

No. We provide technical evidence of what your website does which tags fire, what data is sent, and whether consent choices are respected. Your legal team or DPO uses our report to assess compliance risk.

We already have a cookie scanner. Why do we need this?

Cookie scanners only detect cookies. They don't intercept network requests, test consent signal propagation, or verify that your Cookie Management Platform/Tag Management System actually blocks tags when consent is denied. A cookie audit and a compliance audit are fundamentally different.

Which tag management systems do you support?

All of them. GTM, Tealium iQ, Adobe Launch, Piwik Pro, Matomo, Segment, and custom JavaScript implementations.

Can you also fix the issues you find?

Yes. Audit and remediation are separate engagements so there's no conflict of interest.

How do we prevent compliance from breaking again after deployment?

This is exactly why we built AssertionHub. After a quick setup you can easily do by yourselves, it monitors your tracking continuously and alerts you the moment a tag starts firing outside its consent configuration.

Do you need access to our analytics accounts?

We need read access to your tag management system. We do not need access to analytics platforms we audit from the browser side.

Prerequisites

• Read access to tag management system
• Consent Management Platform access
• List of domains and subdomains in scope

Assumptions (for 12-15 hours)

• Single primary domain ( up to 2 subdomains included)
• One tag management system
• Existing CMP deployed