BT Cookie Compliance Report

bt.com

Compare

https://bt.com

Scanned Apr 15, 2026 · 37.9s

Your website score is

0/100

Critical

Grade

BannerConsent Banner

Yes

Regulatory Compliance

Multi-regulation overview — click any regulation for details

Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.

Tag Leak detected 17 user data leaks before consent on bt.com, including OneTrust (Tracker Tracker), GA4, Dynatrace.

Security Headers

6/6 present

Strict-Transport-Security

max-age=31536000

Content-Security-Policy

frame-ancestors 'self' *.adobe.com; default-src blob: https: data: *.sprinklr.com wss://*.sprinklr.com *.liveperson.net wss://*.liveperson.net 'unsafe-inline' 'unsafe-eval';

X-Frame-Options

SAMEORIGIN

X-Content-Type-Options

nosniff

Referrer-Policy

strict-origin-when-cross-origin

Permissions-Policy

geolocation 'self'

Google Consent Mode

95/100

Consent Parameters

ParameterDefaultUpdated

Ad Storagedeniedgranted

Ad User Datadeniedgranted

Ad Personalizationdeniedgranted

Analytics Storagedeniedgranted

Functionality Storagedenieddenied

Personalization Storagedenieddenied

Security Storagedenieddenied

Issues (1)

No GTM container detected — consent mode works best with Google Tag Manager

Post-Rejection Audit

Reject Button

Found

Post-Rejection Fires

3 vendors

Consent Mode

Advanced

GTM Load

Not detected

Consent Mode V2: Advanced

Advanced Consent Mode — consent update call fires on rejection and tracking stops correctly.

✓ gtag('consent', 'update') call detected on rejection

Vendors firing after rejection (3)

Vendor	Category	Timing	URL
Google — GA4	analytics	17232ms	region1.google-analytics.com
Google — GA4	analytics	17319ms	www.googletagmanager.com
Google — Google Ads	advertising	17528ms	pagead2.googlesyndication.com

Consent Record Audit

Issues detected

Consent record stored after interaction

GDPR Art. 7(1)

Found: OptanonConsent (OneTrust)

Record contains timestamp

Art. 7(1)

Timestamp field detected

Record contains consent state

Art. 7(1)

Accept/reject state detected

Record contains consent categories

Art. 7(1)

Consent categories (analytics, marketing, etc.) not found in record

Consent withdrawal mechanism accessible

GDPR Art. 7(3)

No way for users to withdraw consent found on page

No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.

Why this matters

Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.

Tracker categories detected

Advertising7 vendors

Analytics5 vendors

Marketing7 vendors

Functional3 vendors

Critical10

criticalNetworkOneTrust (Tracker Tracker)

OneTrust (tracker) loaded before consent

Host: cdn-ukwest.onetrust.comFired: 2843ms after load

criticalNetworkAnalyticsGA4

GA4 loads before consent — this is expected and required for GCM v2 to initialise consent defaults before any tags fire

Host: www.googletagmanager.comFired: 2843ms after load