Free Audit

Get your free audit

We will get in touch to scope the work with you, then deliver the audit with no strings attached. Select the audit you want us to look at below.

What should we audit?

View full details for this audit
Prefer a call? Book a call
GDPR

GDPR Tracking Compliance Audit

Technical audit of how your tracking stack responds to user consent choices. We intercept network requests across all consent states and document exactly which tags fire before they should, which consent signals are missing or misconfigured, and whether Consent Mode v2 is correctly integrated with your CMP.

TLDR

Network-interception audit of your tracking stack across all four consent states, producing a violations report with specific remediation steps.

Best for

Any business with EU users who has a cookie banner but has never verified whether tags actually stop firing when they should.

  • 12-15 hours across one primary domain
  • All four consent states tested via network interception
  • Every third-party request documented
  • Works with any CMP

Depending on your existing setup, some steps below can be shortened or skipped entirely.

Delivery roadmap

How we deliver GDPR Tracking Compliance Audit.

Step 01

Setup and scoping

We document all domains and user journeys in scope and confirm access to your tag manager and CMP before any testing begins.

Step 02

Network interception across consent states

We intercept every outbound network request across four states: no interaction, rejected, partial, and accepted, capturing timing and payloads for each.

Step 03

Consent signal verification

We confirm that Consent Mode v2 signals reach Google tags correctly and that your CMP callback fires before tags initialise on the page.

Step 04

Remediation plan

Each violation is documented with receives a specific fix. Where possible we validate the fix in a staging environment before signing off.

Overview

How to know if you need a GDPR Tracking Compliance Audit

  • You have a cookie banner but have never confirmed via network testing that tags actually stop firing when users decline or ignore it.
  • A GDPR review, legal team, or data protection officer has flagged your tracking setup as a potential compliance risk.
  • You use multiple analytics and advertising tags and are not sure all of them respect consent signals correctly.
  • You have recently changed your CMP, tag manager setup, or consent configuration and have not re-tested since.

What the GDPR Tracking Compliance Audit covers

  • Network interception across four consent states: no interaction, rejected, partial consent, and accepted.
  • Every outbound network request documented relative compliance status.
  • Consent Mode v2 signal verification: correct parameters reaching Google tags, and callback firing before tag initialisation.
  • CMP integration review: whether your CMP's consent signal is correctly wired to your tag manager.
  • Specific identification of which tags fire before they should and the precise timing of each pre-consent request.

GDPR Tracking Compliance Audit outcomes

  • A violations report listing every pre-consent data request with screenshots, timing, and the specific tag responsible.
  • A technical remediation plan with a specific fix for each violation.
  • Evidence of compliance for each consent state, which can be retained for documentation purposes.

GDPR Tracking Compliance Audit scope and hours

  • 12-15 hours across one primary domain.
  • Works with any CMP: Cookiebot, OneTrust, Usercentrics, CookieYes, and others.
  • Scope confirmed after reviewing the number of domains, subdomains, tag stack, and CMP setup.

What makes our GDPR Tracking Compliance Audit different

  • We test actual network traffic, not just the GTM configuration. A tag can look correctly configured and still fire pre-consent due to timing issues.
  • Every violation is documented and gets a specific fix, not a general recommendation to 'review your consent setup'.
  • This is a technical compliance review of your tracking layer, not a general legal assessment. We audit what the tags actually do.

More GDPR services

View all GDPR services
FREE AUDITS

Want to try before you commit?

  • Looking to try out Beluacode but not sure about it? You can always ask us for a free audit.
  • Free, no strings attached. We deliver the results and wish you a great day.
  • You will not be forced to talk to us, no call needed to release the results :)
Free

Free Generic Tracking

A high-level review of your overall tracking setup: event coverage, obvious configuration errors, attribution quality, and the highest-impact quick wins across your analytics and ad platforms.

Free

Free GTM Container

A surface-level review of your Google Tag Manager container: tag count, obvious duplicates, missing consent triggers, broken references, and the highest-impact issues. Delivered as a written summary.

Free

Free Consent Mode

A basic review of your Google Consent Mode v2 implementation: whether it is configured, which mode is active (Basic or Advanced), and whether consent states appear to be respected by your key tags.

Free

Free Website Performance

A Lighthouse-based snapshot of your Core Web Vitals on key page templates, with a basic assessment of how your tag stack is affecting page speed. Delivered as a written summary with the top tag-related performance issues identified.

Free

Free GA4 Analytics

A spot-check of your GA4 property: event volume, obvious tracking gaps, and a comparison of your reported conversion numbers against expected behaviour. Delivered as a written summary with the top issues identified.

Frequently Asked Questions

Is having a cookie banner enough for GDPR compliance?
No. A cookie banner that does not actually stop tags from firing is not compliant. The banner must cause your tracking tags to stop collecting data when users decline or do not interact. This audit tests whether that is happening.
What is network interception testing in a GDPR compliance audit?
We intercept every outbound network request made by your site while toggling consent states. This shows exactly which tags fire, when they fire relative to consent interaction, and what data they send, regardless of what the GTM configuration looks like.
What does 'four consent states' mean in a GDPR tracking audit?
No interaction (banner visible but not acted on), rejected (user declined all), partial consent (some categories accepted), and accepted (user accepted all). Each state should produce different tag behaviour, and we verify all four.
Do you fix the violations found during the GDPR audit?
The audit delivers a violations report and remediation plan. Fixing the issues is a separate engagement. For consent-related fixes, our Consent Mode Implementation and CMP-specific services cover the implementation.
Does the GDPR Tracking Compliance Audit cover Consent Mode v2?
Yes. We verify that Consent Mode v2 signals are present, correctly configured, and firing before Google tags initialise. We also check whether Advanced mode is active and whether behavioural modelling is enabled.

Pairs well with

01

Usercentrics Banner Implementation

Full Usercentrics deployment: banner configuration, GTM or direct integration, Consent Mode v2 wiring, and four-state validation. Covers both the UI layer and the underlying consent signal flow.

02

CookieYes Banner Implementation

CookieYes deployment with GTM integration, Consent Mode v2 configuration, and full four-state compliance testing. Suitable for businesses on any CookieYes plan.

03

Cookiebot Banner Implementation

Cookiebot deployment with GTM integration, Consent Mode v2 setup, and network-level compliance verification across all four consent states.

Request a Quote

Review your selected services and submit your quote request.
We'll get in touch within 24 business hours.

Book a call
Quote Request

Added to your quote

Fill in your details and we will get back to you within 24 hours to scope the work. Or keep browsing and add more services first.