Tag Leak for Compliance Teams — Technical Evidence for GDPR & Privacy Audits

The technical gaps that appear in every audit

Your consent banner may not be blocking anything

A visually present consent banner does not mean tags are blocked. Many CMP implementations fail to prevent GA4, Meta Pixel, or ad network scripts from firing before consent interaction. Tag Leak tests this with a live browser — not a static scan.

Regulators audit more than cookie categories

ICO, CNIL, and DPA audits increasingly look at GCM v2 implementation, IAB TCF v2.2 compliance, cookie lifetime (the ICO's 13-month threshold), and security headers. A standard cookie scanner won't cover these.

Jurisdiction-specific behavior is invisible from one location

A site may serve a compliant experience to EU visitors (Cookiebot blocking everything) but a non-compliant version to US visitors (no consent banner at all). Geo-scanning from DE, UK, US, Brazil, and Singapore surfaces this.

How Tag Leak helps

A technical audit you can put in front of a regulator

Every finding is documented with the exact technical evidence: which tag, which endpoint, which cookie, which parameter, which page, and from which jurisdiction.

6-regulation compliance audit — all in one scan

Every Tag Leak scan automatically evaluates compliance against GDPR (EU), UK GDPR (ICO), CCPA/CPRA (California), LGPD (Brazil), POPIA (South Africa), and PDPA (Thailand). Each regulation produces a score and a per-check pass/fail breakdown that maps to the specific technical requirements of that framework.

GDPR / UK GDPR: pre-consent trackers, consent banner, GCM v2, TCF v2.2, cookie lifetime
CCPA: Do Not Sell/Share link presence, USP API, GPP API
LGPD / POPIA / PDPA: opt-in banner model, pre-consent tracker detection
Per-regulation score 0–100 with compliant / issues / critical status
Disclaimer on every report: technical scan only — does not constitute legal advice

IAB TCF v2.2 — version, event status, and all 11 purposes

IAB TCF v2.2 is the technical consent standard all IAB-registered CMPs must implement. Tag Leak calls __tcfapi directly — the same API DPA verification tools use — and checks the version (v2.2 vs outdated v2.0), event status, TC string presence, and consent status for each of the 11 IAB purposes.

Detects v2.2 vs v2.0 — flags outdated tcfPolicyVersion
Validates event_status (useractioncomplete vs loaded)
Audits P1–P11: Store and/or access information on a device, Basic ads, Personalised ads, Content measurement, etc.
Shows registered vendor count and CMP ID
TCF score 0–100 with specific issues listed

Geo-scanning — test from the jurisdiction that matters

Scan your site from real IPs in Germany (GDPR), United Kingdom (UK GDPR / PECR), United States (CCPA), Brazil (LGPD), and Singapore (PDPA). Geo-redirects are flagged when the hostname changes after navigation, and the report shows the version of the site actually served to that jurisdiction.

Pro feature: EU (DE), UK, US, Brazil, APAC (SG)
Detects geo-redirects — different compliance posture per jurisdiction
Region-aware Accept-Language headers for accurate locale simulation
Each geo scan produces a complete report with region noted in the header

AI Remediation Document — traceable evidence artifact

Generated from your actual findings — not a generic template. The Remediation Document serves as a dated, structured record of your compliance assessment and the remediation steps assigned to each team. Download as PDF for your audit file.

Executive Summary: compliance posture at a glance
Priority Actions: critical findings with owner ([Developer] / [GTM Manager] / [Legal]) and specific fix steps
Recommended Actions: warnings with implementation notes
Compliance Checklist: yes/no per finding for sign-off evidence
Saved to your dashboard — accessible as a dated record of each assessment

Technical evidence for every privacy audit.