What you get

Every feature in Tag Leak

One scan. Ten compliance checks. A full report in 60 seconds.

Pre-consent tag & cookie detectionConsent banner detection & verificationGoogle Consent Mode v2 auditIAB TCF v2.2 detectionSecurity headers auditMulti-page scanning6-regulation compliance auditGeo-scanningAI RemediationCookie policy generator
Scan regulation:All RegulationsGDPRUK GDPRCCPA / CPRALGPDPOPIAPDPA
PremiumFree account

Google Consent Mode v2 audit

Not just whether GCM v2 is present β€” whether it is correctly implemented.

GCM v2 is required for compliant GA4 and Google Ads conversion measurement in EU markets. A common mistake: implementing the gtag consent call but defaulting parameters to 'granted' instead of 'denied'. Tag Leak injects an interceptor before any page code runs, captures all consent calls in the correct order, and scores the implementation against all seven required parameters.

What it checks

  • Detects v1 vs v2 β€” flags missing ad_user_data and ad_personalization parameters
  • Checks default consent state: 'denied' required, 'not_set' fails, 'granted' is a violation
  • Verifies consent call fires before GTM container (ordering matters)
  • GTM container IDs extracted from network requests
  • Score 0–100: -30 no default call, -10 per parameter defaulting to 'granted', -15 for v1, -5 no GTM
  • GA4 and Google Ads findings downgraded warningβ†’info when GCM v2 score β‰₯ 70 with explicit denied defaults
PremiumFree account

IAB TCF v2.2 detection

The consent standard your CMP must implement β€” verified at the API level.

IAB TCF v2.2 is the technical consent framework all IAB-registered CMPs (Cookiebot, Didomi, OneTrust, Axeptio, and 200+ others) are required to implement. Tag Leak calls __tcfapi directly β€” the same interface DPA verification tools use β€” and checks version, event status, TC string validity, and consent status across all 11 IAB consent purposes.

What it checks

  • tcfPolicyVersion β‰₯ 4 = v2.2, else v2.0 (flagged as outdated)
  • event_status: useractioncomplete required for valid post-consent state
  • TC string presence and basic validity check
  • Consent status for all 11 IAB purposes (P1–P11)
  • Vendor count and CMP ID extracted
  • Score 0–100: -25 for v2.0, -20 no TC string, -15 wrong event_status, -10 no CMP ID
PremiumFree account

Security headers audit

Six headers. One scan. No extra tool required.

Security response headers are a GDPR Article 32 requirement and appear in DPA technical audits. Tag Leak checks all six in the same scan as the consent audit β€” no separate security scanner needed. Missing headers are reported as info findings with the specific value recommended.

What it checks

  • Strict-Transport-Security (HSTS) β€” prevents protocol downgrade attacks
  • Content-Security-Policy β€” controls which resources the browser can load
  • X-Frame-Options β€” prevents clickjacking attacks
  • X-Content-Type-Options β€” prevents MIME-type sniffing
  • Referrer-Policy β€” controls what referrer information is sent
  • Permissions-Policy β€” restricts browser feature access (camera, microphone, geolocation)
Core$19/mo

Multi-page scanning

Your checkout page and product pages need to be compliant too.

GDPR violations frequently occur on pages other than the homepage β€” particularly forms, checkout flows, and content pages that load additional tracking scripts. Tag Leak discovers pages from your sitemap.xml automatically (with link crawl fallback) and scans them in parallel, giving you a full-site compliance picture.

What it checks

  • Sitemap-first URL discovery with <a> link crawl fallback
  • Starter: up to 25 pages per scan | Pro: up to 100 pages per scan
  • Pages scanned in parallel (concurrency 5 for >10 pages)
  • Per-page score, critical/warning count, and consent banner status in report
  • Findings deduplicated across pages β€” one entry per unique violation, not 100 copies
  • page_url shown on each finding so you know exactly where the violation occurs
CoreFree account

6-regulation compliance audit

GDPR, UK GDPR, CCPA, LGPD, POPIA, and PDPA β€” scored in one scan.

Every Tag Leak scan automatically evaluates compliance against all six major privacy regulations without pre-selection. Each regulation gets its own score (0–100), a status (compliant / issues / critical), and a per-check pass/fail breakdown that maps to the specific technical requirements of that framework.

What it checks

  • GDPR πŸ‡ͺπŸ‡Ί β€” pre-consent trackers, consent banner, GCM v2, TCF v2.2, cookie lifetime
  • UK GDPR πŸ‡¬πŸ‡§ β€” ICO guidance, PECR, 13-month cookie threshold
  • CCPA πŸ‡ΊπŸ‡Έ β€” DNSMPI link, Limit Sensitive PI link, USP API, GPP API
  • LGPD πŸ‡§πŸ‡· β€” opt-in consent model, pre-consent tracker detection
  • POPIA πŸ‡ΏπŸ‡¦ β€” opt-in model, banner presence, tracker detection
  • PDPA πŸ‡ΉπŸ‡­ β€” opt-in model, banner presence, tracker detection
Pro$49/mo

Geo-scanning

Test from the jurisdiction that matters β€” not just your office location.

Many sites serve different consent experiences based on visitor location β€” a compliant Cookiebot setup for EU visitors, a banner-less experience for US visitors, or a geo-redirect to a different domain entirely. Geo-scanning detects all of this by running the scan from a real IP in the target jurisdiction.

What it checks

  • πŸ‡ͺπŸ‡Ί EU β€” Germany (GDPR) | πŸ‡¬πŸ‡§ UK β€” United Kingdom (UK GDPR / PECR)
  • πŸ‡ΊπŸ‡Έ US β€” United States (CCPA) | πŸ‡§πŸ‡· Brazil (LGPD) | 🌏 APAC β€” Singapore (PDPA)
  • Geo-redirect detection β€” flags when hostname changes after navigation
  • Region-aware Accept-Language header for accurate locale simulation
  • Each geo scan produces a complete report with region noted in the header
  • Webshare datacenter proxies β€” consistent IP geolocation per region
PremiumFree account

AI Remediation Document

Every finding has an owner. Every fix has a step.

Generated from your actual scan findings using GPT-4o-mini, the Remediation Document is a structured fix plan that assigns every violation to the team that owns it β€” Developer, GTM Manager, or Legal. It is not a generic template. Download as PDF for your evidence file or to hand to the dev team.

What it checks

  • Executive Summary β€” compliance posture in 2–3 sentences
  • Priority Actions β€” critical findings with [Developer] / [GTM Manager] / [Legal] tag and specific fix steps
  • Recommended Actions β€” warnings with implementation notes
  • Quick Wins β€” security headers and low-effort fixes that unblock audit sign-off
  • What Cannot Be Automated β€” items requiring legal review
  • Compliance Checklist β€” yes/no per finding for sign-off evidence
  • Rate limit: 3 generations/user/day | PDF export included

Competitive comparison

Built for auditing. Not for selling you a banner.

CookieYes and Cookiebot are Consent Management Platforms β€” their scanner is a secondary feature inside a banner product. Tag Leak is a standalone audit tool, banner-agnostic and depth-first.

CapabilityTag LeakCookieYesCookiebotOneTrust
Pre vs post-consent two-pass scanβœ“β€”β€”β€”
GCM v2 implementation audit (0–100 score)βœ“β€”β€”β€”
TCF v2.2 implementation audit (third-party)βœ“β€”β€”β€”
6-regulation compliance scoringβœ“β€”β€”βœ“
Geo-scanning (EU, UK, US, BR, APAC)βœ“β€”β€”β€”
Security headers auditβœ“β€”β€”β€”
AI remediation documentβœ“β€”β€”β€”
Cookie policy generated from scan dataβœ“β€”β€”β€”
Scan any URL free β€” no account, no installβœ“β€”β€”β€”
Consent banner productβ€”βœ“βœ“βœ“

"Implementation audit" = verifying whether an existing GCM v2 or TCF v2.2 setup is correctly configured, scored 0–100. CookieYes and Cookiebot implement these standards in their own banners β€” they do not audit third-party implementations. Comparison as of April 2026.

Pricing

Start free. Upgrade when you need more.

Free

$0

  • 1-page scan
  • Top 3 critical + 2 warning
  • No signup required

Starter

$19/mo

  • 25-page scanning
  • 3 monitored sites (weekly)
  • Full report + all sections
  • AI Remediation Document
  • Cookie policy generator

Pro

$49/mo

  • 100-page scanning
  • 20 monitored sites (daily)
  • Geo-scanning (5 regions)
  • White-label PDF export
  • Everything in Starter

All ten checks. One scan. 60 seconds.

Free scan, no signup. Paid features unlock automatically when you create an account.