Consent audits for agencies

The banner is the promise.
This is the receipt.

CookieTrail audits your clients' sites with real browsers in real countries — clicking accept, reject and dismiss, and recording every cookie against the CMP's own stored record. One branded evidence link per client. Nothing to install, no access needed.

Run 3 client sites free View a sample report →
yourclient.com · 🇬🇧 United Kingdom · path: Reject all visit 4 of 6
Reject ignored

The visitor clicked “Reject all.” The banner closed, the choice was recorded — and the marketing trackers fired anyway.

Meta Pixel · leaking Google Ads · leaking GA4 · blocked ✓
▾ Meta Pixel — evidence🔧 fix it
cookies written after reject  _fbp · .yourclient.com  fr · .facebook.com CMP's own record after this action: all-rejected (0/4 categories on) — yet the cookies above were still written. we operated  “Reject all” → button[data-cc="deny"]

Real capture, anonymized — every line above comes straight out of the report.

The moment

It's Thursday. The site ships Friday.
Someone says the word “cookies.”

Every agency knows this moment. Consent was nobody's line item — remembered at launch week, handled with whatever banner installs fastest, verified never. The banner appears, everyone exhales, the site ships.

But a banner appearing is evidence of nothing. Some fire every tracker before anyone chooses. Some ignore the reject button. And some do the opposite — quietly strangle the analytics you're on the hook to report next quarter.

CookieTrail turns the panic into a checklist item. Consent verified before launch, receipts in hand — and re-verified at the next launch, because you launch all the time.

Both sides of the line

Too loose, your client carries the risk.
Too locked, you eat the loss.

Everyone audits one side — the legal one. But a consent setup can fail in either direction, and the second failure is the one that lands on the agency.

⚑ Legal exposure — fires too much

The site tracks people who said no.

  • Ad pixels fire before anyone touches the banner
  • “Reject all” closes the banner — and changes nothing
  • The CMP defaults every category to accepted and calls it consent

Under GDPR and UK-GDPR that's exposure — and when it surfaces, it surfaces in the client relationship you own.

◌ Measurement loss — fires too little

The site blinds the tools you report with.

  • Trackers stay blocked even after the visitor accepts
  • A consent wall holds analytics hostage in markets that don't require one
  • Tags are installed, configured — and silent

The campaign dashboard is quietly fiction — and you're the one presenting it.

The right setup is maximum lawful measurement. CookieTrail scores both sides — every leak, and every signal you're legally entitled to but not getting.
The blindspot

See it like a Berliner.

Your whole team looks at the site from one desk, on one IP, in one language. Consent doesn't work that way — the banner, the buttons, the defaults, even what's legal change with the visitor. Nobody on the team can just… be German for five minutes.

CookieTrail can. A real browser on a residential connection in each country, with the language and timezone set to match — because sites key off all three.

https://yourclient.com 🇩🇪 Germany · GDPR
Diese Website verwendet Cookies.
🇩🇪 GDPRPrior consent required — nothing may fire until the visitor says yes, and reject must be as easy as accept.
🇬🇧 UK-GDPRSame bar as the EU — and the first layer with no reject button stops being a choice.
🇺🇸 CCPAOpt-out, not opt-in — a consent wall here doesn't protect anyone, it just blinds your analytics.

Same URL, three different sites. Every audit shows each one, side by side, with the capture to prove it.

The deliverable

One link per client.
Every claim carries its receipts.

Not a scanner printout listing cookies. A recorded walk through the site — per country, per choice — where every verdict can be clicked open down to the exact cookie, the CMP's own decoded record, and the button we pressed.

01

Every path, every country — walked, not assumed

A real browser visits from Germany, the UK and the US on residential connections, then takes each fork: accept all, reject all, granular, dismiss, ignore. Cold session every time, so nothing carries over.

02

Click any tracker, get the ledger

Every cookie the run added, itemized with its domain and vendor. The CMP's stored consent record, decoded and set side-by-side with what actually happened: “the record says all-rejected — yet these cookies were written.” Plus the exact control and selector we operated.

03

“How we audit” is a card in the report

Six instruments, shown to your client, with live counts from their own audit:

cookie ledgerconsent-record read-backpreference-panel read-back banner cartographyscreenshotsagent escalation

yourclient.com · Germany: 6 separate visits · 46 cookie-jar entries read · 5 consent records decoded · 12 screenshots

04

Honest to a fault — by design

If we didn't observe something, the report says so. No invented timelines, no “no banner found” over a screenshot of a banner, no treating a CMP's self-report as truth — we read the toggles back after every action, because consent tools lie about themselves more often than you'd think.

Open the sample report → First visit gets a 30-second guided tour. Works on a phone in a client meeting.
From finding to fix

Every leak ends in a task, not a shrug.

Leaking trackers carry a 🔧 fix it tag, and every one can be copied out as a self-contained brief — what we observed, the cookie trail, the selector we pressed, the CMP's contradicting record, and how to verify the fix. Written to paste straight into a coding agent.

Every tracker in the report reads in two signals: the tile says whether it's firing, the badge says whether that's correct. Only two of these four need fixing — and they're opposite problems.

f! Leaking
Firing against a “no” — before consent, or after reject. The legal one.
Stuck
Consent granted, tag never fires. Paid for, installed — dark. The money one.
hj Blocked
Denied and silent. The refusal was respected — proof the gating works.
GA Firing
Granted and firing cleanly. Measurement you're entitled to, working.
## Stop Meta Pixel firing after “Reject all” — yourclient.com
**What we observed**
path: UK visitor → Reject all (button[data-cc="deny"])
cookies after reject: _fbp (.yourclient.com), fr (.facebook.com)
CMP record: all-rejected (0/4 categories on)
**The task**
Gate the pixel behind the CMP's marketing category. If it fires from an ungated tag-manager trigger, the CMP can't block it.
**How to verify**
Fresh profile → reject → confirm _fbp absent → reload → still absent.
— Generated by CookieTrail · yourclient.com · UK · reject-all

Your dev — or your client's coding agent — starts with evidence, not a ticket that says “cookies broken?”

The brief carries everything needed to reproduce and verify, so the fix doesn't bounce back with questions. Per-vendor starting points included: Consent Mode defaults for Google tags, category-gating for Meta, HubSpot and the rest.

Then re-run the audit and the same report shows the leak closed — blocked ✓, the gating works — which is a much better email to send a client than a promise.

What we find

The same messes, portfolio after portfolio.

We precheck whole agency rosters. Nearly every one surfaces a few of these — usually on the sites everyone assumed were fine.

fake-install

A real CMP, installed and answering — while vendors beacon away with no consent recorded at all. The banner is scenery.

seen: national-press site · CMP live, 5 vendors beaconing, 166 third-party cookies
implied-consent

The record defaults every category to accepted before anyone touches anything. The CMP “works” — it just presumes yes.

seen: fintech site · 29/29 categories pre-accepted on load
wide-open

No CMP at all. Ad and analytics trackers fire on first paint for every visitor in every jurisdiction.

seen: DTC brand · 6 trackers firing, no banner anywhere
no-reject-offered

The first layer offers “Accept” and a settings maze — no reject. In the UK and EU, that's not a choice, it's a toll booth.

seen: two of five sites in one demo portfolio
over-locked

A consent wall holds every tag hostage — including in markets that don't require one. Lawful measurement, thrown away.

seen: US visitors walled, analytics dark in the biggest market
silent-tags

Tags installed, configured, paid for — and never firing, on any path. Nobody noticed because nobody looked.

seen: telehealth site · pixel present, zero hits on all six visits

Verdicts from real prechecks and audits; sites anonymized. Findings about client sites stay private — outreach is one-to-one, never a wall of shame.

How it works

Portfolio in, receipts out.

1

Point us at your agency free

Give us your site — we read the portfolio and pull the client list. Or paste domains. No client access, no script tags, nothing to install, ever.

2

Precheck triage across the whole roster free

One passive visit per site ranks the portfolio by how interesting the consent mess is — fake installs and wide-open sites float to the top. Seconds per site, so thirty clients isn't thirty audits.

3

Full audit on the sites that matter

Real browsers on residential connections in Germany, the UK and the US walk every consent path — recording cookies, decoding consent records, reading toggles back, screenshotting each step.

4

One branded link per client

Send it ahead of the call or walk them through it live. The findings are theirs; the deliverable — and the fix work it creates — is yours to sell.

Keep whatever banner they have. CookieTrail is CMP-agnostic and outside-in — it doesn't replace OneTrust, Cookiebot or the rest; it's the independent check that says whether they're doing their job. Make it the line on your launch checklist that says consent · verified ✓

Start here

Three client sites. Fifteen minutes.

Drop your agency's site below. We'll precheck your portfolio free and walk you through the two or three findings actually worth your time — before a client, or a regulator, finds them first.

Precheck the whole portfolio · free Per-client audit · DE / UK / US · every path · branded link Launch plan · audit every launch + re-verify fixes

Early access — audits are run and presented by a human, on purpose. That's the 15 minutes.