CookieTrail audits your clients' sites with real browsers in real countries — clicking accept, reject and dismiss, and recording every cookie against the CMP's own stored record. One branded evidence link per client. Nothing to install, no access needed.
The visitor clicked “Reject all.” The banner closed, the choice was recorded — and the marketing trackers fired anyway.
Real capture, anonymized — every line above comes straight out of the report.
Every agency knows this moment. Consent was nobody's line item — remembered at launch week, handled with whatever banner installs fastest, verified never. The banner appears, everyone exhales, the site ships.
But a banner appearing is evidence of nothing. Some fire every tracker before anyone chooses. Some ignore the reject button. And some do the opposite — quietly strangle the analytics you're on the hook to report next quarter.
CookieTrail turns the panic into a checklist item. Consent verified before launch, receipts in hand — and re-verified at the next launch, because you launch all the time.
Everyone audits one side — the legal one. But a consent setup can fail in either direction, and the second failure is the one that lands on the agency.
Under GDPR and UK-GDPR that's exposure — and when it surfaces, it surfaces in the client relationship you own.
The campaign dashboard is quietly fiction — and you're the one presenting it.
Your whole team looks at the site from one desk, on one IP, in one language. Consent doesn't work that way — the banner, the buttons, the defaults, even what's legal change with the visitor. Nobody on the team can just… be German for five minutes.
CookieTrail can. A real browser on a residential connection in each country, with the language and timezone set to match — because sites key off all three.
Same URL, three different sites. Every audit shows each one, side by side, with the capture to prove it.
Not a scanner printout listing cookies. A recorded walk through the site — per country, per choice — where every verdict can be clicked open down to the exact cookie, the CMP's own decoded record, and the button we pressed.
A real browser visits from Germany, the UK and the US on residential connections, then takes each fork: accept all, reject all, granular, dismiss, ignore. Cold session every time, so nothing carries over.
Every cookie the run added, itemized with its domain and vendor. The CMP's stored consent record, decoded and set side-by-side with what actually happened: “the record says all-rejected — yet these cookies were written.” Plus the exact control and selector we operated.
Six instruments, shown to your client, with live counts from their own audit:
yourclient.com · Germany: 6 separate visits · 46 cookie-jar entries read · 5 consent records decoded · 12 screenshots
If we didn't observe something, the report says so. No invented timelines, no “no banner found” over a screenshot of a banner, no treating a CMP's self-report as truth — we read the toggles back after every action, because consent tools lie about themselves more often than you'd think.
Leaking trackers carry a 🔧 fix it tag, and every one can be copied out as a self-contained brief — what we observed, the cookie trail, the selector we pressed, the CMP's contradicting record, and how to verify the fix. Written to paste straight into a coding agent.
Every tracker in the report reads in two signals: the tile says whether it's firing, the badge says whether that's correct. Only two of these four need fixing — and they're opposite problems.
The brief carries everything needed to reproduce and verify, so the fix doesn't bounce back with questions. Per-vendor starting points included: Consent Mode defaults for Google tags, category-gating for Meta, HubSpot and the rest.
Then re-run the audit and the same report shows the leak closed — blocked ✓, the gating works — which is a much better email to send a client than a promise.
We precheck whole agency rosters. Nearly every one surfaces a few of these — usually on the sites everyone assumed were fine.
A real CMP, installed and answering — while vendors beacon away with no consent recorded at all. The banner is scenery.
seen: national-press site · CMP live, 5 vendors beaconing, 166 third-party cookiesThe record defaults every category to accepted before anyone touches anything. The CMP “works” — it just presumes yes.
seen: fintech site · 29/29 categories pre-accepted on loadNo CMP at all. Ad and analytics trackers fire on first paint for every visitor in every jurisdiction.
seen: DTC brand · 6 trackers firing, no banner anywhereThe first layer offers “Accept” and a settings maze — no reject. In the UK and EU, that's not a choice, it's a toll booth.
seen: two of five sites in one demo portfolioA consent wall holds every tag hostage — including in markets that don't require one. Lawful measurement, thrown away.
seen: US visitors walled, analytics dark in the biggest marketTags installed, configured, paid for — and never firing, on any path. Nobody noticed because nobody looked.
seen: telehealth site · pixel present, zero hits on all six visitsVerdicts from real prechecks and audits; sites anonymized. Findings about client sites stay private — outreach is one-to-one, never a wall of shame.
Give us your site — we read the portfolio and pull the client list. Or paste domains. No client access, no script tags, nothing to install, ever.
One passive visit per site ranks the portfolio by how interesting the consent mess is — fake installs and wide-open sites float to the top. Seconds per site, so thirty clients isn't thirty audits.
Real browsers on residential connections in Germany, the UK and the US walk every consent path — recording cookies, decoding consent records, reading toggles back, screenshotting each step.
Send it ahead of the call or walk them through it live. The findings are theirs; the deliverable — and the fix work it creates — is yours to sell.
Keep whatever banner they have. CookieTrail is CMP-agnostic and outside-in — it doesn't replace OneTrust, Cookiebot or the rest; it's the independent check that says whether they're doing their job. Make it the line on your launch checklist that says consent · verified ✓
Drop your agency's site below. We'll precheck your portfolio free and walk you through the two or three findings actually worth your time — before a client, or a regulator, finds them first.
Early access — audits are run and presented by a human, on purpose. That's the 15 minutes.