What you get
Scan your website for cookies, trackers, and consent violations. Ten compliance checks, one report, 60 seconds.
See exactly what fires before anyone clicks Accept.
Tag Leak silently loads your site exactly as a real visitor would β before any consent interaction β and captures every network call, cookie, and storage write that fires. Each finding is automatically classified by vendor, severity, and category against a database of 50,000+ known tracker signals.
What it checks
Not just whether GCM v2 is present β whether it is correctly implemented.
GCM v2 is required for compliant GA4 and Google Ads conversion measurement in EU markets. The most common mistake: adding the consent call but leaving parameters defaulted to granted instead of denied. Tag Leak verifies the full implementation β timing, parameter values, and call order β and scores it 0β100.
What it checks
The consent standard your CMP must implement β verified at the API level.
IAB TCF v2.3 is the technical consent framework all IAB-registered CMPs β Cookiebot, Didomi, OneTrust, Axeptio, and 200+ others β are required to implement. Tag Leak verifies your CMP's TCF implementation at the API level, checking version, consent signal validity, and status across all 11 IAB consent purposes.
What it checks
Six headers. One scan. No extra tool required.
Security response headers are a GDPR Article 32 requirement and appear in DPA technical audits. Tag Leak checks all six in the same scan as the consent audit β no separate security scanner needed. Missing headers are reported as info findings with the specific value recommended.
What it checks
Your checkout page and product pages need to be compliant too.
GDPR violations frequently occur on pages other than the homepage β particularly forms, checkout flows, and content pages that load additional tracking scripts. Tag Leak discovers pages from your sitemap.xml automatically (with link crawl fallback) and scans them in parallel, giving you a full-site compliance picture.
What it checks
GDPR, UK GDPR, CCPA, LGPD, POPIA, and PDPA β scored in one scan.
Every Tag Leak scan automatically evaluates compliance against all six major privacy regulations without pre-selection. Each regulation gets its own score (0β100), a status (compliant / issues / critical), and a per-check pass/fail breakdown that maps to the specific technical requirements of that framework.
What it checks
Test from the jurisdiction that matters β not just your office location.
Many sites serve different consent experiences based on visitor location β a compliant Cookiebot setup for EU visitors, a banner-less experience for US visitors, or a geo-redirect to a different domain entirely. Geo-scanning detects all of this by running the scan from a real IP in the target jurisdiction.
What it checks
Every finding has an owner. Every fix has a step.
Generated directly from your scan findings, the Remediation Document is a structured fix plan that assigns every violation to the team that owns it β Developer, GTM Manager, or Legal. It is not a generic template. Download as PDF for your evidence file or to hand to the dev team.
What it checks
Compare Tag Leak
Banners donβt stop data leaks. Checklists donβt catch real behavior. Tag Leak is built to expose whatβs really happening on your site across vendors, regions, and consent states.
| Capability | Tag Leak | CookieYes | Cookiebot | OneTrust |
|---|---|---|---|---|
| Pre vs post-consent two-pass scan | β | β | β | β |
| GCM v2 implementation audit (0β100 score) | β | β | β | β |
| TCF v2.3 implementation audit (third-party) | β | β | β | β |
| 6-regulation compliance scoring | β | β | β | β |
| Geo-scanning (EU, UK, US, BR, APAC) | β | β | β | β |
| Security headers audit | β | β | β | β |
| AI remediation document | β | β | β | β |
| Cookie policy generated from scan data | β | β | β | β |
| Scan any URL free β no account, no install | β | β | β | β |
| Consent banner product | β | β | β | β |
"Implementation audit" = verifying whether an existing GCM v2 or TCF v2.3 setup is correctly configured, scored 0β100. CookieYes and Cookiebot implement these standards in their own banners β they do not audit third-party implementations. Comparison as of April 2026.
Pricing
$0
$19/mo
$49/mo
A cookie scanner is a tool that audits your website to detect all cookies and tracking technologies in use. It identifies which cookies fire before user consent, categorizes them by purpose (analytics, advertising, functional), and flags compliance issues with privacy regulations like GDPR, CCPA, and ePrivacy.
Tag Leak runs a two-pass scan in a real browser. First, it loads your site without any consent interaction to detect pre-consent tracking. Then it interacts with your consent banner (accept/reject) and scans again. This before-and-after approach reveals whether your consent mechanism actually blocks tracking β not just whether a banner appears.
Most cookie scanners only list what cookies exist on a page. Tag Leak goes further: it tests pre-consent vs. post-consent behavior, audits Google Consent Mode v2 implementation (all 7 parameters), checks IAB TCF compliance, verifies post-rejection behavior, and scores your site 0-100 across 6 privacy regulations simultaneously.
Yes. Single-page scans are free with no signup required. Free scans show the top 3 critical and 2 warning findings. Paid plans (Starter $19/mo, Pro $49/mo) unlock multi-page scanning, full reports, site monitoring, AI remediation documents, and geo-scanning from multiple regions.
Yes. Tag Leak is CMP-agnostic β it works with Cookiebot, OneTrust, CookieYes, Didomi, Usercentrics, Quantcast, and any other consent management platform. It detects and interacts with your CMP's banner automatically, then verifies whether it actually blocks tracking before consent.
Free scan, no signup. Paid features unlock automatically when you create an account.