Free Audit

Get your free audit

We will get in touch to scope the work with you, then deliver the audit with no strings attached. Select the audit you want us to look at below.

What should we audit?

View full details for this audit
GDPR & Consent

GDPR Tracking Compliance Audit

Technical audit of how your tracking stack responds to user consent choices. We intercept network requests across all consent states and document exactly which tags fire before they should, which consent signals are missing or misconfigured, and whether Consent Mode v2 is correctly integrated with your CMP.

Audit GDPR Compliance

Network-interception audit of your tracking stack across all four consent states, producing a violations report with specific remediation steps.

Best for

Any business with EU users who has a cookie banner but has never verified whether tags actually stop firing when they should.

  • 12-15 hours across one primary domain
  • All four consent states tested via network interception
  • Every third-party request documented with timing
  • Works with any CMP

Overview

How to know if you need a GDPR Tracking Compliance Audit

  • You have a cookie banner but have never confirmed via network testing that tags actually stop firing when users decline or ignore it.
  • Your tag manager fires tags on page load and you are not certain the consent callback from your CMP fires first.
  • A GDPR review, legal team, or data protection officer has flagged your tracking setup as a potential compliance risk.
  • You use multiple analytics and advertising tags and are not sure all of them respect consent signals correctly.
  • You have recently changed your CMP, tag manager setup, or consent configuration and have not re-tested since.

What the GDPR Tracking Compliance Audit covers

  • Network interception across four consent states: no interaction, rejected, partial consent, and accepted.
  • Every outbound network request documented with timing relative to consent interaction.
  • Consent Mode v2 signal verification: correct parameters reaching Google tags, and callback firing before tag initialisation.
  • CMP integration review: whether your CMP's consent signal is correctly wired to your tag manager.
  • Specific identification of which tags fire before they should and the precise timing of each pre-consent request.

GDPR Tracking Compliance Audit outcomes

  • A violations report listing every pre-consent data request with screenshots, timing, and the specific tag responsible.
  • A technical remediation plan with a specific fix for each violation.
  • Evidence of compliance for each consent state, which can be retained for documentation purposes.

GDPR Tracking Compliance Audit scope and hours

  • 12-15 hours across one primary domain.
  • Works with any CMP: Cookiebot, OneTrust, Usercentrics, CookieYes, Didomi, and others.
  • Subdomain and cross-domain scope can be added but extends the hours estimate.
  • Scope confirmed after reviewing your domain, tag stack, and CMP setup.

What makes our GDPR Tracking Compliance Audit different

  • We test actual network traffic, not just the GTM configuration. A tag can look correctly configured and still fire pre-consent due to timing issues.
  • Every violation is documented with a screenshot and precise timing, so the findings are unambiguous and usable as evidence.
  • Every violation gets a specific fix, not a general recommendation to 'review your consent setup'.
  • This is a technical compliance review of your tracking layer, not a general legal assessment. We audit what the tags actually do.
FREE AUDITS

Want to try before you commit?

  • Looking to try out Beluacode but not sure about it? You can always ask us for a free audit.
  • Free, no strings attached. We deliver the results and wish you a great day.
  • You will not be forced to talk to us, no call needed to release the results :)
Free

Free Generic Tracking

A high-level review of your overall tracking setup: event coverage, obvious configuration errors, attribution quality, and the highest-impact quick wins across your analytics and ad platforms.

Tracking Setup Quick Wins Analytics Ad Platforms
Free

Free GTM Container

A surface-level review of your Google Tag Manager container: tag count, obvious duplicates, missing consent triggers, broken references, and the highest-impact issues. Delivered as a written summary.

GTM Tag Inventory Consent Triggers Duplicates
Free

Free Consent Mode

A basic review of your Google Consent Mode v2 implementation: whether it is configured, which mode is active (Basic or Advanced), and whether consent states appear to be respected by your key tags.

Consent Mode v2 CMP GDPR Tag Firing
Free

Free Website Performance

A Lighthouse-based snapshot of your Core Web Vitals on key page templates, with a basic assessment of how your tag stack is affecting page speed. Delivered as a written summary with the top tag-related performance issues identified.

Core Web Vitals Lighthouse Tag Load Impact Page Speed
Free

Free GA4 Analytics

A spot-check of your GA4 property: event volume, obvious tracking gaps, and a comparison of your reported conversion numbers against expected behaviour. Delivered as a written summary with the top issues identified.

GA4 Event Coverage Conversion Gaps Data Quality
Our approach

How we deliver GDPR Tracking Compliance Audit.

A structured process built around your stack, your team, and your data.

01

Setup and scoping

We document all domains and user journeys in scope and confirm access to your tag manager and CMP before any testing begins.

02

Network interception across consent states

We intercept every outbound network request across four states: no interaction, rejected, partial, and accepted, capturing timing and payloads for each.

03

Consent signal verification

We confirm that Consent Mode v2 signals reach Google tags correctly and that your CMP callback fires before tags initialise on the page.

04

Violations documentation

Every pre-consent request is logged with a screenshot, precise timing, and the specific tag responsible, so the findings are unambiguous.

05

Remediation plan

Each violation receives a specific fix. Where possible we validate the fix in a staging environment before signing off.

Frequently Asked Questions

Is having a cookie banner enough for GDPR compliance?
No. A cookie banner that does not actually stop tags from firing is not compliant. The banner must cause your tracking tags to stop collecting data when users decline or do not interact. This audit tests whether that is happening.
What is network interception testing?
We intercept every outbound network request made by your site while toggling consent states. This shows exactly which tags fire, when they fire relative to consent interaction, and what data they send — regardless of what the GTM configuration looks like.
What does 'four consent states' mean?
No interaction (banner visible but not acted on), rejected (user declined all), partial consent (some categories accepted), and accepted (user accepted all). Each state should produce different tag behaviour, and we verify all four.
Do you fix the violations found?
The audit delivers a violations report and remediation plan. Fixing the issues is a separate engagement. For consent-related fixes, our Consent Mode Implementation and CMP-specific services cover the implementation.
Does this cover Consent Mode v2 specifically?
Yes. We verify that Consent Mode v2 signals are present, correctly configured, and firing before Google tags initialise. We also check whether Advanced mode is active and whether behavioural modelling is enabled.

Pairs well with

01

Consent Mode Implementation

Google Consent Mode v2 setup with CMP integration, correct default and update states, and behavioural modelling activation. Works with any CMP.

02

Improve Cookie Consent Acceptance Rate

Track and improve your cookie consent acceptance rate. We instrument banner interactions to establish a baseline, then help you design and run tests around copy, positioning, and design to improve the rate without compromising compliance.

03

Usercentrics Banner Implementation

Full Usercentrics deployment: banner configuration, GTM or direct integration, Consent Mode v2 wiring, and four-state validation. Covers both the UI layer and the underlying consent signal flow.

Real engagements. Real results.

A selection of projects where we delivered this service — what the challenge was, what we built, and what changed.

All use cases
01

Found 8 third-party scripts firing before consent on a SaaS platform

Network interception revealed LinkedIn Insight Tag, Hotjar, and 6 other scripts sending data on page load before any consent interaction. Full remediation reduced pre-consent requests to zero.

02

Implemented Consent Mode Advanced for a 12-market EU retail brand

Replaced Basic mode with Advanced mode and correct regional defaults. Behavioural modelling activated across all markets, recovering 38% of previously invisible conversions in GA4.

03

CMP migration from Cookiebot to OneTrust with zero tracking gaps

Managed the full migration for a financial services company, running both CMPs in parallel to verify no consent-state edge case introduced pre-consent data leaks.

Request a Quote

Review your selected services and submit your quote request.
We'll get in touch within 24 business hours.

Quote Request

Added to your quote

Fill in your details and we will get back to you within 24 hours to scope the work. Or keep browsing and add more services first.