https://farfetch.com
Scanned Apr 15, 2026 · 31.9s
Your website score is
Grade
BannerConsent Banner
Yes
Regulatory Compliance
Multi-regulation overview — click any regulation for details
Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.
Tag Leak detected 51 user data leaks before consent on farfetch.com, including Akamai (Analytics Tracker), Advertising Tracker, Microsoft Ads and 3 more.
Security Headers
6/6 presentStrict-Transport-Security
max-age=31536000
Content-Security-Policy
frame-ancestors 'none'
X-Frame-Options
DENY
X-Content-Type-Options
nosniff
Referrer-Policy
strict-origin-when-cross-origin
Permissions-Policy
geolocation=(self), microphone=(), payment=(self), usb=(self)
Google Consent Mode
V2Consent Parameters
Post-Rejection Audit
Reject Button
Missing
Post-Rejection Fires
0 vendors
Consent Mode
Not Detected
GTM Load
1472ms pre-consent
Google Tag Manager(GTM-5VWCDN)
Loaded 1472ms after page load — before the consent banner was detected (banner appeared at 9514ms). Per a 2022 German court ruling, GTM itself transmits the user's IP to Google pre-consent.
Consent Mode V2: Not Detected
Google Consent Mode was not detected on this site.
Consent Record Audit
Issues detectedConsent record stored after interaction
GDPR Art. 7(1)No consent record written — cannot prove consent was given
No CMP consent cookie or localStorage entry was found after the consent interaction. GDPR requires controllers to demonstrate consent was given.
Consent withdrawal mechanism accessible
GDPR Art. 7(3)No way for users to withdraw consent found on page
No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.
Why this matters
Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.
Tracker categories detected
Critical14
Akamai (Analytics Tracker)2 findingss.go-mpulse.net, c.go-mpulse.net
s.go-mpulse.net, c.go-mpulse.net
Akamai (analytics) loaded before consent
Akamai (analytics) loaded before consent
Advertising Tracker3 findingsingress.eu2.rum-ingress-coralogix.com, beacon.riskified.com, bat.bing.net
ingress.eu2.rum-ingress-coralogix.com, beacon.riskified.com, bat.bing.net
advertising tracker at ingress.eu2.rum-ingress-coralogix.com loaded before consent
advertising tracker at beacon.riskified.com loaded before consent
advertising tracker at bat.bing.net loaded before consent
Microsoft Ads (Microsoft) loaded before consent: Microsoft Ads (Bing) UET conversion tracking
Forter (tracker) loaded before consent
Riskified (Analytics Tracker)2 findingsimg.riskified.com, c.riskified.com
img.riskified.com, c.riskified.com
Riskified (analytics) loaded before consent
Riskified (analytics) loaded before consent
Forter (Advertising Tracker)2 findingscdn0.forter.com, cdn3.forter.com
cdn0.forter.com, cdn3.forter.com
Forter (advertising) loaded before consent
Forter (advertising) loaded before consent
No "reject all" option found — users cannot refuse non-essential cookies (ICO guidance requires this)
No recognizable consent cookie or storage entry detected after interaction — GDPR Article 7(1) requires controllers to demonstrate consent was given (server-side storage cannot be verified)
No recognizable consent withdrawal mechanism detected — GDPR Article 7(3) requires users can withdraw consent as easily as giving it (cookie settings link or floating button expected)
Warnings40
Google Tag Manager2 findingsID trackedwww.googletagmanager.com
www.googletagmanager.com
Google Tag Manager loads before consent — this is expected and required for GCM v2 to initialise consent defaults before any tags fire
GTM loaded before consent banner — IP address transmitted to Google pre-consent (container: GTM-5VWCDN)
GA4 cookieless ping detected before consent — GCM v2 active with analytics_storage: denied. No cookies or user identifiers are collected in this request.
Unknown was clicked but no consent storage was written — tags may continue firing as if consent was never given
Google Ads cookieless ping detected before consent — GCM v2 active with ad_storage and ad_user_data: denied. No user identifiers are collected in this request.
Unknown third-party request to cdn-static.farfetch-contents.com before consent
Unknown third-party request to accounts.google.com before consent
Unknown third-party request to api.farfetch.net before consent
Unknown third-party request to google.com before consent
sessionStorage key "rum_session" written before consent
localStorage key "cx-fingerprint" written before consent
localStorage key "_boomr_clss" written before consent
localStorage key "dummy" written before consent
localStorage key "ak_a" written before consent
localStorage key "__akfp_storage_test__" written before consent
localStorage key "UniqueViewId_https://www.farfetch.com/nl/" written before consent
sessionStorage key "__sak" written before consent
localStorage key "1776288678715" written before consent
localStorage key "lastRskxRun" written before consent
localStorage key "rskxRunCookie" written before consent
localStorage key "rCookie" written before consent
localStorage key "forterToken" written before consent
localStorage key "feh--9fd29358" written before consent
localStorage key "feh--8ff2b28" written before consent
localStorage key "feh--e3a677a0" written before consent
localStorage key "__test__" written before consent
localStorage key "f3b83c8e592aef14c2204ee437d40785" written before consent
localStorage key "feh--30cb83" written before consent
localStorage key "feh--330df5" written before consent
localStorage key "feh--1aea3" written before consent
localStorage key "feh--1bc22" written before consent
localStorage key "ftr__sf" written before consent
localStorage key "feh--19c44" written before consent
localStorage key "feh--6bc5339" written before consent
localStorage key "feh--c52" written before consent
localStorage key "feh--37d28a" written before consent
localStorage key "feh--1bda6" written before consent
localStorage key "feh--da4" written before consent
localStorage key "__$intc" written before consent
localStorage key "feh--1b2b8" written before consent
Info13
Paypal (Cdn)4 findingsc.paypal.com, b.stats.paypal.com, c6.paypal.com, slc.stats.paypal.com
c.paypal.com, b.stats.paypal.com, c6.paypal.com, slc.stats.paypal.com
Paypal (cdn) loaded before consent
Paypal (cdn) loaded before consent
Paypal (cdn) loaded before consent
Paypal (cdn) loaded before consent
Tripadvisor cookie "RT" set before consent — This cookie is used to identify the visitor through an application. This allows the visitor to login to a website through their LinkedIn application for example.
PayPal cookie "l7_az" set before consent — This cookie is necessary for the PayPal login-function on the website.
localStorage availability probe (null) wrote "__storage_test__" to localStorage before consent
Cross-site request forgery token — security mechanism
Akamai bot manager — necessary for site protection
Cross-site request forgery token — security mechanism
Cross-site request forgery token — security mechanism
Akamai bot management — necessary for site protection
Akamai bot management session — necessary for site protection
Compliant19
Twitter/X Pixel2 findingsID trackedt.co, static.ads-twitter.com
t.co, static.ads-twitter.com
Twitter/X Pixel (X (Twitter)) loaded correctly after consent
Twitter/X Pixel (X (Twitter)) loaded correctly after consent
Meta Pixel2 findingsID trackedwww.facebook.com, connect.facebook.net
www.facebook.com, connect.facebook.net
Meta Pixel (Meta) loaded correctly after consent
Meta Pixel (Meta) loaded correctly after consent
Google Ads4 findingsgoogleads.g.doubleclick.net, www.googleadservices.com, _gcl_au, _gcl_ls
googleads.g.doubleclick.net, www.googleadservices.com, _gcl_au, _gcl_ls
Google Ads (Google) loaded correctly after consent
Google Ads (Google) loaded correctly after consent
Google Ads cookie "_gcl_au" set correctly after consent
Google Ads (Google) wrote "_gcl_ls" to localStorage correctly after consent
Microsoft Ads3 findingsbat.bing.com, _uetsid, _uetvid
bat.bing.com, _uetsid, _uetvid
Microsoft Ads (Microsoft) loaded correctly after consent
Microsoft Ads cookie "_uetsid" set correctly after consent
Microsoft Ads cookie "_uetvid" set correctly after consent
Google Analytics3 findings_ga, _ga_CEF7PMN9HX, _ga_QJBZM1L4HL
_ga, _ga_CEF7PMN9HX, _ga_QJBZM1L4HL
Google Analytics cookie "_ga" set correctly after consent
Google Analytics cookie "_ga_CEF7PMN9HX" set correctly after consent
Google Analytics cookie "_ga_QJBZM1L4HL" set correctly after consent
DoubleClick/Google Marketing2 findingstest_cookie, IDE
test_cookie, IDE
DoubleClick/Google Marketing cookie "test_cookie" set correctly after consent
DoubleClick/Google Marketing cookie "IDE" set correctly after consent
Bing / Microsoft cookie "MUID" set correctly after consent
X2 findingsmuc_ads, personalization_id
muc_ads, personalization_id
X cookie "muc_ads" set correctly after consent
X cookie "personalization_id" set correctly after consent
Is this your site?
Run a full multi-page scan with monitoring and get detailed remediation steps
Scan farfetch.com →This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com