https://hltv.org
Scanned Apr 17, 2026 · 44.1s
Your website score is
Grade
BannerConsent Banner
Yes
Regulatory Compliance
Multi-regulation overview — click any regulation for details
Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.
Tag Leak detected 35 user data leaks before consent on hltv.org, including Human Security (Advertising Tracker), Google (Tracker Tracker), Aditude (Advertising Tracker) and 7 more.
Security Headers
0/6 presentStrict-Transport-Security
Add HSTS header to enforce HTTPS connections and prevent downgrade attacks
Content-Security-Policy
Add a Content-Security-Policy header to prevent XSS and code injection attacks
X-Frame-Options
Add X-Frame-Options header to prevent clickjacking attacks
X-Content-Type-Options
Set X-Content-Type-Options to 'nosniff' to prevent MIME type sniffing
Referrer-Policy
Set a Referrer-Policy header to control how much referrer information is shared
Permissions-Policy
Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation
Google Consent Mode
V2Consent Parameters
Issues (2)
No default consent call detected — consent mode may not be initialised correctly
No GTM container detected — consent mode works best with Google Tag Manager
Post-Rejection Audit
Reject Button
Found
Post-Rejection Fires
5 vendors
Consent Mode
Advanced
GTM Load
Not detected
Consent Mode V2: Advanced
Advanced Consent Mode — consent update call fires on rejection and tracking stops correctly.
✓ gtag('consent', 'update') call detected on rejection
Vendors firing after rejection (5)
| Vendor | Category | Timing | URL |
|---|---|---|---|
| Google — GA4 | analytics | 17059ms | www.googletagmanager.com |
| Cookiebot — Cookiebot CMP | consent_management | 17167ms | consentcdn.cookiebot.com |
| Outbrain — Outbrain | advertising | 17233ms | tr.outbrain.com |
| Google — GA4 | analytics | 17543ms | region1.google-analytics.com |
| Google — Google Ads | advertising | 18201ms | pagead2.googlesyndication.com |
Consent Record Audit
Issues detectedConsent record stored after interaction
GDPR Art. 7(1)Found: CookieConsent (Cookiebot)
Record contains timestamp
Art. 7(1)Timestamp field detected
Record contains consent state
Art. 7(1)Accept/reject state detected
Record contains consent categories
Art. 7(1)Consent categories detected
Consent withdrawal mechanism accessible
GDPR Art. 7(3)No way for users to withdraw consent found on page
No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.
Why this matters
Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.
Tracker categories detected
Critical22
Data was transmitted to a third-party or storage was written on the user’s device before consent. This is a GDPR/ePrivacy violation, not just a script load.
Outbrain2 findingsID trackedtr.outbrain.com, dicbo_id
tr.outbrain.com, dicbo_id
Outbrain (Outbrain) loaded before consent: Outbrain conversion tracking endpoint
Outbrain cookie "dicbo_id" set before consent — Collects statistics concerning the visitors' use of the website and its general functionality. This is used to optimize and compile reports on the website for comparison through a third party analysis service.
Human Security (advertising) loaded before consent
Google (Tracker Tracker)2 findingswww.googletagservices.com, securepubads.g.doubleclick.net
www.googletagservices.com, securepubads.g.doubleclick.net
Google (tracker) loaded before consent
Google (tracker) loaded before consent
Aditude (advertising) loaded before consent
GA4 (Google) loaded before consent: Google Analytics gtag.js library
SMARTDYNAMICS (advertising) loaded before consent
Twitter/X Pixel (X (Twitter)) loaded before consent: Loads Twitter/X conversion tracking script
Teads (Advertising Tracker)2 findingsamplify.outbrain.com, wave.outbrain.com
amplify.outbrain.com, wave.outbrain.com
Teads (advertising) loaded before consent
Teads (advertising) loaded before consent
advertising tracker at match.aditude.cloud loaded before consent
X5 findingsguest_id_marketing, guest_id_ads, personalization_id, guest_id, muc_ads
guest_id_marketing, guest_id_ads, personalization_id, guest_id, muc_ads
X cookie "guest_id_marketing" set before consent — This cookie is for advertising when logged out
X cookie "guest_id_ads" set before consent — This cookie is for advertising when logged out
X cookie "personalization_id" set before consent — Unique value with which users can be identified by X. Collected information is used to be personalize X services, including X trends, stories, ads and suggestions.
X cookie "guest_id" set before consent — This cookie is set by X to identify and track the website visitor. Registers if a users is signed in the X platform and collects information about ad preferences.
X cookie "muc_ads" set before consent — These cookies are placed when you come to our website via X. A cookie from X is also placed on our website, with which we can later show a relevant offer on X
Google — GA4 fires after user rejected consent
Cookiebot — Cookiebot CMP fires after user rejected consent
Outbrain — Outbrain fires after user rejected consent
Google — Google Ads fires after user rejected consent
No recognizable consent withdrawal mechanism detected — GDPR Article 7(3) requires users can withdraw consent as easily as giving it (cookie settings link or floating button expected)
Warnings18
A tag container or script loaded before consent but tags appear correctly gated (e.g. GTM with Consent Mode v2). Not a violation on its own — review to confirm downstream tags stay blocked.
Twitter (social) loaded before consent
Unknown third-party request to t.co before consent
Unknown third-party request to static-cdn.jtvnw.net before consent
Unknown third-party request to raven-edge.aditude.io before consent
Unknown third-party request to edge.aditude.io before consent
Unknown third-party request to geo-location.prebid.cloud before consent
Unknown third-party request to raven-static.aditude.io before consent
Unknown third-party request to geo.aditude.io before consent
localStorage key "~~~" written before consent
localStorage key "cwgl" written before consent
localStorage key "cwglt" written before consent
localStorage key "ditu_user" written before consent
localStorage key "ditu_session" written before consent
localStorage key "rcik" written before consent
localStorage key "rciv" written before consent
sessionStorage key "cw-srn" written before consent
localStorage key "__test" written before consent
localStorage key "tude-raven-sampling-bucket" written before consent
Info9
Neutral observations — activity we detected that isn’t a violation but is useful context (e.g. essential cookies, CMP initialisation).
Cookiebot (Cookiebot) loaded before consent: Cookiebot consent management platform
Cloudflare Web Analytics (Cloudflare) loaded before consent: Cloudflare Web Analytics beacon — privacy-focused, no cookies
Cookiebot CMP (Cookiebot) loaded before consent: Cookiebot consent management platform
Amazon (cdn) loaded before consent
Yahoo! (cdn) loaded before consent
Cloudflare2 findings__cflb, _cfuvid
__cflb, _cfuvid
Cloudflare cookie "__cflb" set before consent — When enabling session affinity with Cloudflare Load Balancer, Cloudflare sets a __cflb cookie with a unique value on the first response to the requesting client. Cloudflare routes future requests to the same origin, optimizing network resource usage. In the event of a failover, Cloudflare sets a new __cflb cookie to direct future requests to the failover pool.
Cloudflare cookie "_cfuvid" set before consent — The _cfuvid cookie is only set when a site uses this option in a Rate Limiting Rule, and is only used to allow the Cloudflare WAF to distinguish individual users who share the same IP address.
Cloudflare challenge clearance — necessary for site access
Cloudflare bot management — necessary for site operation
Compliant180
Tags that fired only after the user gave consent — working as intended.
Meta Pixel3 findingsID trackedwww.facebook.com, connect.facebook.net, _fbp
www.facebook.com, connect.facebook.net, _fbp
Meta Pixel (Meta) loaded correctly after consent
Meta Pixel (Meta) loaded correctly after consent
Meta Pixel cookie "_fbp" set correctly after consent
Google Analytics3 findingswww.google-analytics.com, _ga_525WEYQTV9, _ga
www.google-analytics.com, _ga_525WEYQTV9, _ga
GA4 (Google) loaded correctly after consent
Google Analytics cookie "_ga_525WEYQTV9" set correctly after consent
Google Analytics cookie "_ga" set correctly after consent
Google Ads3 findingsgoogleads.g.doubleclick.net, _gcl_au, _gcl_ls
googleads.g.doubleclick.net, _gcl_au, _gcl_ls
Google Ads (Google) loaded correctly after consent
Google Ads cookie "_gcl_au" set correctly after consent
Google Ads (Google) wrote "_gcl_ls" to localStorage correctly after consent
Criteo cookie "cto_bundle" set correctly after consent
Cookiebot cookie "CookieConsent" set correctly after consent
Yahoo2 findingsA3, IDSYNC
A3, IDSYNC
Yahoo cookie "A3" set correctly after consent
Yahoo cookie "IDSYNC" set correctly after consent
Adform6 findingsuid, cto_bidid, c, CID, cid, UID
uid, cto_bidid, c, CID, cid, UID
Adform cookie "uid" set correctly after consent
Adform cookie "cto_bidid" set correctly after consent
Adform cookie "c" set correctly after consent
Adform cookie "CID" set correctly after consent
Adform cookie "cid" set correctly after consent
Adform cookie "UID" set correctly after consent
Lotame6 findings_cc_dc, _cc_id, _cc_cc, _cc_aud, panoramaId_expiry, panoramaId
_cc_dc, _cc_id, _cc_cc, _cc_aud, panoramaId_expiry, panoramaId
Lotame cookie "_cc_dc" set correctly after consent
Lotame cookie "_cc_id" set correctly after consent
Lotame cookie "_cc_cc" set correctly after consent
Lotame cookie "_cc_aud" set correctly after consent
Lotame cookie "panoramaId_expiry" set correctly after consent
Lotame cookie "panoramaId" set correctly after consent
Teads cookie "tt_viewer" set correctly after consent
Magnite4 findingskhaos, khaos_p, audit_p, audit
khaos, khaos_p, audit_p, audit
Magnite cookie "khaos" set correctly after consent
Magnite cookie "khaos_p" set correctly after consent
Magnite cookie "audit_p" set correctly after consent
Magnite cookie "audit" set correctly after consent
Xandr4 findingsXANDR_PANID, uuid2, icu, anj
XANDR_PANID, uuid2, icu, anj
Xandr cookie "XANDR_PANID" set correctly after consent
Xandr cookie "uuid2" set correctly after consent
Xandr cookie "icu" set correctly after consent
Xandr cookie "anj" set correctly after consent
Seedtag4 findingsst_ssp, st_uid, st_cs, st_csd
st_ssp, st_uid, st_cs, st_csd
Seedtag cookie "st_ssp" set correctly after consent
Seedtag cookie "st_uid" set correctly after consent
Seedtag cookie "st_cs" set correctly after consent
Seedtag cookie "st_csd" set correctly after consent
GumGum cookie "vst" set correctly after consent
Marfeel12 findingscompass_uid, _sv3_4, _sv3_8, _sv3_6, _sv3_17, _sv3_13, _sv3_7, _sv3_15, _sv3_14, _sv3_11, _sv3_3, _ssuma
compass_uid, _sv3_4, _sv3_8, _sv3_6, _sv3_17, _sv3_13, _sv3_7, _sv3_15, _sv3_14, _sv3_11, _sv3_3, _ssuma
Marfeel cookie "compass_uid" set correctly after consent
Marfeel cookie "_sv3_4" set correctly after consent
Marfeel cookie "_sv3_8" set correctly after consent
Marfeel cookie "_sv3_6" set correctly after consent
Marfeel cookie "_sv3_17" set correctly after consent
Marfeel cookie "_sv3_13" set correctly after consent
Marfeel cookie "_sv3_7" set correctly after consent
Marfeel cookie "_sv3_15" set correctly after consent
Marfeel cookie "_sv3_14" set correctly after consent
Marfeel cookie "_sv3_11" set correctly after consent
Marfeel cookie "_sv3_3" set correctly after consent
Marfeel cookie "_ssuma" set correctly after consent
DoubleClick/Google Marketing3 findingsIDE, __gads, id
IDE, __gads, id
DoubleClick/Google Marketing cookie "IDE" set correctly after consent
DoubleClick/Google Marketing cookie "__gads" set correctly after consent
DoubleClick/Google Marketing cookie "id" set correctly after consent
Google AdSense2 findings__gpi, __eoi
__gpi, __eoi
Google AdSense cookie "__gpi" set correctly after consent
Google AdSense cookie "__eoi" set correctly after consent
SurveyMonkey3 findingsp_Amc_b, p_Amc_s, p_Amc_t
p_Amc_b, p_Amc_s, p_Amc_t
SurveyMonkey cookie "p_Amc_b" set correctly after consent
SurveyMonkey cookie "p_Amc_s" set correctly after consent
SurveyMonkey cookie "p_Amc_t" set correctly after consent
richAudience6 findingspdid, avcid-rub-uid, avcid-ttd-uid, avcid-crt-uid, avcid-bsx-uid, avcid-adf-uid
pdid, avcid-rub-uid, avcid-ttd-uid, avcid-crt-uid, avcid-bsx-uid, avcid-adf-uid
richAudience cookie "pdid" set correctly after consent
richAudience cookie "avcid-rub-uid" set correctly after consent
richAudience cookie "avcid-ttd-uid" set correctly after consent
richAudience cookie "avcid-crt-uid" set correctly after consent
richAudience cookie "avcid-bsx-uid" set correctly after consent
richAudience cookie "avcid-adf-uid" set correctly after consent
Google3 findingsconsent, receive-cookie-deprecation, DSID
consent, receive-cookie-deprecation, DSID
Google cookie "consent" set correctly after consent
Google cookie "receive-cookie-deprecation" set correctly after consent
Google cookie "DSID" set correctly after consent
The Tradedesk2 findingsTDID, TDCPM
TDID, TDCPM
The Tradedesk cookie "TDID" set correctly after consent
The Tradedesk cookie "TDCPM" set correctly after consent
semasio.net cookie "SEUNCY" set correctly after consent
CreativeCDN cookie "g" set correctly after consent
PayPal cookie "ts" set correctly after consent
Platform161 cookie "tuuid" set correctly after consent
bidswitch.net cookie "tuuid_lu" set correctly after consent
Adobe Audience Manager2 findingsdemdex, dpm
demdex, dpm
Adobe Audience Manager cookie "demdex" set correctly after consent
Adobe Audience Manager cookie "dpm" set correctly after consent
ComScore cookie "pid" set correctly after consent
The Ozone Project cookie "ozone_uid" set correctly after consent
Smartadserver3 findingsTestIfCookieP, pbw, csync
TestIfCookieP, pbw, csync
Smartadserver cookie "TestIfCookieP" set correctly after consent
Smartadserver cookie "pbw" set correctly after consent
Smartadserver cookie "csync" set correctly after consent
Outbrain cookie "obuid" set correctly after consent
Beeswax2 findingsbito, bitoIsSecure
bito, bitoIsSecure
Beeswax cookie "bito" set correctly after consent
Beeswax cookie "bitoIsSecure" set correctly after consent
PubMatic30 findingsKADUSERCOOKIE, KRTBCOOKIE_80, KRTBCOOKIE_632, KRTBCOOKIE_391, KRTBCOOKIE_452, KRTBCOOKIE_377, DPSync4, KRTBCOOKIE_699, KRTBCOOKIE_57, KRTBCOOKIE_153, KRTBCOOKIE_1101, KRTBCOOKIE_945, KRTBCOOKIE_860, KRTBCOOKIE_32, KRTBCOOKIE_1323, SyncRTB4, KRTBCOOKIE_188, KRTBCOOKIE_22, KRTBCOOKIE_1469, KRTBCOOKIE_1529, pi, KRTBCOOKIE_740, PugT, chk, KRTBCOOKIE_1513, KRTBCOOKIE_1277, KRTBCOOKIE_409, SPugT, chkChromeAb67Sec, pubsyncexp
KADUSERCOOKIE, KRTBCOOKIE_80, KRTBCOOKIE_632, KRTBCOOKIE_391, KRTBCOOKIE_452, KRTBCOOKIE_377, DPSync4, KRTBCOOKIE_699, KRTBCOOKIE_57, KRTBCOOKIE_153, KRTBCOOKIE_1101, KRTBCOOKIE_945, KRTBCOOKIE_860, KRTBCOOKIE_32, KRTBCOOKIE_1323, SyncRTB4, KRTBCOOKIE_188, KRTBCOOKIE_22, KRTBCOOKIE_1469, KRTBCOOKIE_1529, pi, KRTBCOOKIE_740, PugT, chk, KRTBCOOKIE_1513, KRTBCOOKIE_1277, KRTBCOOKIE_409, SPugT, chkChromeAb67Sec, pubsyncexp
PubMatic cookie "KADUSERCOOKIE" set correctly after consent
PubMatic cookie "KRTBCOOKIE_80" set correctly after consent
PubMatic cookie "KRTBCOOKIE_632" set correctly after consent
PubMatic cookie "KRTBCOOKIE_391" set correctly after consent
PubMatic cookie "KRTBCOOKIE_452" set correctly after consent
PubMatic cookie "KRTBCOOKIE_377" set correctly after consent
PubMatic cookie "DPSync4" set correctly after consent
PubMatic cookie "KRTBCOOKIE_699" set correctly after consent
PubMatic cookie "KRTBCOOKIE_57" set correctly after consent
PubMatic cookie "KRTBCOOKIE_153" set correctly after consent
PubMatic cookie "KRTBCOOKIE_1101" set correctly after consent
PubMatic cookie "KRTBCOOKIE_945" set correctly after consent
PubMatic cookie "KRTBCOOKIE_860" set correctly after consent
PubMatic cookie "KRTBCOOKIE_32" set correctly after consent
PubMatic cookie "KRTBCOOKIE_1323" set correctly after consent
PubMatic cookie "SyncRTB4" set correctly after consent
PubMatic cookie "KRTBCOOKIE_188" set correctly after consent
PubMatic cookie "KRTBCOOKIE_22" set correctly after consent
PubMatic cookie "KRTBCOOKIE_1469" set correctly after consent
PubMatic cookie "KRTBCOOKIE_1529" set correctly after consent
PubMatic cookie "pi" set correctly after consent
PubMatic cookie "KRTBCOOKIE_740" set correctly after consent
PubMatic cookie "PugT" set correctly after consent
PubMatic cookie "chk" set correctly after consent
PubMatic cookie "KRTBCOOKIE_1513" set correctly after consent
PubMatic cookie "KRTBCOOKIE_1277" set correctly after consent
PubMatic cookie "KRTBCOOKIE_409" set correctly after consent
PubMatic cookie "SPugT" set correctly after consent
PubMatic cookie "chkChromeAb67Sec" set correctly after consent
PubMatic cookie "pubsyncexp" set correctly after consent
Sharethrough cookie "stx_user_id" set correctly after consent
openx.net2 findingsi, pd
i, pd
openx.net cookie "i" set correctly after consent
openx.net cookie "pd" set correctly after consent
Yieldmo cookie "yieldmo_id" set correctly after consent
NGINX Ingresss cookie "INGRESSCOOKIE" set correctly after consent
Tapad3 findingsTapAd_TS, TapAd_DID, TapAd_3WAY_SYNCS
TapAd_TS, TapAd_DID, TapAd_3WAY_SYNCS
Tapad cookie "TapAd_TS" set correctly after consent
Tapad cookie "TapAd_DID" set correctly after consent
Tapad cookie "TapAd_3WAY_SYNCS" set correctly after consent
csync.loopme.me cookie "viewer_token" set correctly after consent
TripleLift cookie "tluid" set correctly after consent
Smaato2 findingsSCM, SCMg
SCM, SCMg
Smaato cookie "SCM" set correctly after consent
Smaato cookie "SCMg" set correctly after consent
ID53 findingsgdpr, id5, 3pi
gdpr, id5, 3pi
ID5 cookie "gdpr" set correctly after consent
ID5 cookie "id5" set correctly after consent
ID5 cookie "3pi" set correctly after consent
Neustar cookie "ab" set correctly after consent
Emetric3 findingspid_short, pid_signature, ep
pid_short, pid_signature, ep
Emetric cookie "pid_short" set correctly after consent
Emetric cookie "pid_signature" set correctly after consent
Emetric cookie "ep" set correctly after consent
HAproxy cookie "SERVERID" set correctly after consent
BetweenDigital cookie "dc" set correctly after consent
betweendigital.com cookie "ss" set correctly after consent
Casale Media3 findingsCMID, CMPS, CMPRO
CMID, CMPS, CMPRO
Casale Media cookie "CMID" set correctly after consent
Casale Media cookie "CMPS" set correctly after consent
Casale Media cookie "CMPRO" set correctly after consent
Federated Media Publishing cookie "ljt_reader" set correctly after consent
Quantcast cookie "mc" set correctly after consent
Rapleaf2 findingspxrc, rlas3
pxrc, rlas3
Rapleaf cookie "pxrc" set correctly after consent
Rapleaf cookie "rlas3" set correctly after consent
LinkedIn4 findingsbcookie, li_gc, lidc, vid
bcookie, li_gc, lidc, vid
LinkedIn cookie "bcookie" set correctly after consent
LinkedIn cookie "li_gc" set correctly after consent
LinkedIn cookie "lidc" set correctly after consent
LinkedIn cookie "vid" set correctly after consent
Amazon2 findingsad-id, ad-privacy
ad-id, ad-privacy
Amazon cookie "ad-id" set correctly after consent
Amazon cookie "ad-privacy" set correctly after consent
Bing / Microsoft cookie "MUID" set correctly after consent
Media.net3 findingsvisitor-id, data-pbs, data-ris
visitor-id, data-pbs, data-ris
Media.net cookie "visitor-id" set correctly after consent
Media.net cookie "data-pbs" set correctly after consent
Media.net cookie "data-ris" set correctly after consent
Adition cookie "UserID1" set correctly after consent
Admatic cookie "uids" set correctly after consent
OnAudience2 findingsdone_redirects153, done_redirects236
done_redirects153, done_redirects236
OnAudience cookie "done_redirects153" set correctly after consent
OnAudience cookie "done_redirects236" set correctly after consent
ShareThis2 findings__stid, __stidv
__stid, __stidv
ShareThis cookie "__stid" set correctly after consent
ShareThis cookie "__stidv" set correctly after consent
Adobe Advertising cookie "everest_g_v2" set correctly after consent
Adkernel2 findingsSSPZ, ADKUID
SSPZ, ADKUID
Adkernel cookie "SSPZ" set correctly after consent
Adkernel cookie "ADKUID" set correctly after consent
Nativo cookie "opt_out" set correctly after consent
Aniview cookie "aniC" set correctly after consent
Sonobi cookie "HAPLB8G" set correctly after consent
Mediamath cookie "uuid" set correctly after consent
Zeotap cookie "zc" set correctly after consent
Mediarithmics3 findingsmics_vid, mics_uaid, mics_lts
mics_vid, mics_uaid, mics_lts
Mediarithmics cookie "mics_vid" set correctly after consent
Mediarithmics cookie "mics_uaid" set correctly after consent
Mediarithmics cookie "mics_lts" set correctly after consent
Improve Digital2 findingsum, umeh
um, umeh
Improve Digital cookie "um" set correctly after consent
Improve Digital cookie "umeh" set correctly after consent
Snowplow cookie "sp" set correctly after consent
Auth0 cookie "did" set correctly after consent
Yandex.Metrica4 findingsyandexuid, yashr, yuidss, bh
yandexuid, yashr, yuidss, bh
Yandex.Metrica cookie "yandexuid" set correctly after consent
Yandex.Metrica cookie "yashr" set correctly after consent
Yandex.Metrica cookie "yuidss" set correctly after consent
Yandex.Metrica cookie "bh" set correctly after consent
localStorage availability probe (null) wrote "__storage_test__" to localStorage correctly after consent
Is this your site?
Run a full multi-page scan with monitoring and get detailed remediation steps
Scan hltv.org →This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com