GDPR compliance scanner
Tag Leak audits the technical requirements that GDPR and ePrivacy actually mandate: no cookies or tracking before consent, a working consent mechanism, correct Google Consent Mode v2 implementation, and IAB TCF v2.3 compliance if you use an IAB-registered CMP.
Free scan · No signup · Every scan covers all 6 major privacy regulations
Technical checks
These are scanner-detectable technical requirements. Regulatory compliance also requires legal review of your policies, contracts, and data processing activities.
GDPR Article 6 and ePrivacy Directive require that non-essential cookies and trackers fire only after a user has given informed consent. Tag Leak scans your site in a real browser before any consent interaction and flags every ad, analytics, and tracking tag that fires early — including GA4, Meta Pixel, Google Ads, and hundreds of other vendors.
A banner that renders but fails to block scripts is not a valid consent mechanism. Tag Leak tests whether your CMP — Cookiebot, OneTrust, Usercentrics, Didomi, and 20+ others — actually prevents tracking before consent, not just whether the banner appears.
GCM v2 is required for compliant GA4 and Google Ads operation in EU markets. Tag Leak checks all seven GCM v2 parameters and verifies that your default consent states are correctly set to 'denied' before consent is given — a common misconfiguration that results in unrestricted data collection.
If you use an IAB-registered CMP (Cookiebot, Didomi, OneTrust, Axeptio, and 200+ others), your implementation must meet TCF v2.3 requirements. Tag Leak verifies version compliance, event status, TC string validity, and consent status across all 11 IAB purposes.
Per CNIL and ICO guidance, tracking cookies with a lifetime exceeding 13 months are treated as disproportionate. Tag Leak checks cookie expiry dates and flags any pre-consent cookies that exceed this threshold as a separate violation.
GDPR Article 32 requires appropriate technical measures to protect personal data. Tag Leak checks six security response headers — HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy — as part of every scan.
GDPR violations often appear on pages other than the homepage — checkout flows, sign-up forms, product pages. Tag Leak discovers pages from your sitemap and scans up to 100 pages per scan, giving you a full-site compliance picture.
Your GDPR compliance result is presented as a score 0–100 with a per-check pass/fail breakdown. Checks include: consent banner detected, pre-consent trackers absent, GCM v2 correctly configured, TCF v2.3 valid, cookie lifetimes within threshold.
Note: GDPR compliance is not solely technical. Data Processing Agreements, Records of Processing Activities, Privacy Notices, Data Subject Request processes, and legal basis documentation are outside what any scanner can verify. Tag Leak tells you what's technically broken so you can fix it — legal review remains essential.
You do not need to select GDPR — every Tag Leak scan automatically audits all six major privacy regulations in one pass. Run a single scan and get compliance scores for GDPR, UK GDPR, CCPA, LGPD, POPIA, and PDPA simultaneously.
Free scan. No signup. Results in 60 seconds.
Every Tag Leak scan also audits GDPR · UK GDPR · CCPA · LGPD · POPIA · PDPA automatically.
A GDPR cookie compliance scanner audits your website for technical GDPR violations: cookies and trackers that fire before user consent, consent banner presence and effectiveness, Google Consent Mode v2 implementation, IAB TCF v2.2 compliance, cookie lifetimes, and security headers. Tag Leak checks all of these in a single 60-second scan.
Not necessarily. A cookie banner is required, but it must actually block non-essential cookies until the user consents. Many websites have banners that appear but don't prevent tracking from firing — this is the most common GDPR violation. Tag Leak's two-pass scan detects exactly this by checking what fires before and after consent.
GDPR requires that your cookie banner: appears before any non-essential cookies fire, offers Accept and Reject options with equal prominence, does not use pre-checked boxes, provides granular category control, allows consent withdrawal at any time, and does not block content behind a cookie wall. Rejecting must be as easy as accepting.
If you use Google Analytics or Google Ads with EU visitors, Google Consent Mode v2 is effectively required. Since March 2024, Google requires GCM v2 for personalized advertising in the EEA. Without it, your GA4 and Google Ads campaigns lose conversion data and audience building capabilities for European users.
At minimum monthly, and after any significant website change — new marketing tags, CMP updates, redesigns, or new third-party integrations. Compliance can break silently when marketing adds new scripts or CMP configurations change. Tag Leak offers automated monitoring that scans your site on a schedule and alerts you to regressions.