Kahoot! Cookie Compliance Report

Kahoot!

kahoot.it

Compare

https://kahoot.it

Scanned Apr 15, 2026 · 42.2s

Your website score is

0/100

Critical

Grade

BannerConsent Banner

Yes

Regulatory Compliance

Multi-regulation overview — click any regulation for details

Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.

Tag Leak detected 8 user data leaks before consent on kahoot.it, including Amplitude, OneTrust (Tracker Tracker).

Security Headers

2/6 present

Strict-Transport-Security

max-age=31536000; includeSubDomains; preload

Content-Security-Policy

Add a Content-Security-Policy header to prevent XSS and code injection attacks

X-Frame-Options

Add X-Frame-Options header to prevent clickjacking attacks

X-Content-Type-Options

nosniff

Referrer-Policy

Set a Referrer-Policy header to control how much referrer information is shared

Permissions-Policy

Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation

Google Consent Mode

Not Detected

Google Consent Mode v2 was not found on this page. GCM v2 allows Google's tags to adjust their behavior based on user consent, and is required for compliant advertising measurement in the EU. Without it, your Google Ads and GA4 conversions may be impacted after consent is declined.

GTM container detected (GTM-5HCKFC) but no consent mode initialisation found. Add gtag('consent', 'default', ...) before your GTM snippet.

Post-Rejection Audit

Reject Button

Found

Post-Rejection Fires

0 vendors

Consent Mode

Not Detected

GTM Load

709ms pre-consent

Google Tag Manager(GTM-5HCKFC)

Loaded 709ms after page load — before the consent banner was detected (banner appeared at 9037ms). Per a 2022 German court ruling, GTM itself transmits the user's IP to Google pre-consent.

Consent Mode V2: Not Detected

Google Consent Mode was not detected on this site.

No tracking vendors detected firing after rejection

Consent Record Audit

Issues detected

Consent record stored after interaction

GDPR Art. 7(1)

Found: OptanonConsent (OneTrust)

Record contains timestamp

Art. 7(1)

Timestamp field detected

Record contains consent state

Art. 7(1)

Accept/reject state detected

Record contains consent categories

Art. 7(1)

Consent categories (analytics, marketing, etc.) not found in record

Consent withdrawal mechanism accessible

GDPR Art. 7(3)

No way for users to withdraw consent found on page

No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.

Why this matters

Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.

Tracker categories detected

Analytics2 vendors

Security4

Tag Management1 vendor

Critical4

criticalNetworkAnalyticsAmplitude

Amplitude (Amplitude) loaded before consent: Amplitude product analytics

Host: cdn.amplitude.comFired: 904ms after load

OneTrust (Tracker Tracker)2 findings

cdn-ukwest.onetrust.com, privacyportal-uk.onetrust.com

criticalNetworkOneTrust (Tracker Tracker)

OneTrust (tracker) loaded before consent

Host: cdn-ukwest.onetrust.comFired: 914ms after load

criticalNetworkOneTrust (Tracker Tracker)

OneTrust (tracker) loaded before consent

Host: privacyportal-uk.onetrust.comFired: 3181ms after load

criticalConsent Record

No recognizable consent withdrawal mechanism detected — GDPR Article 7(3) requires users can withdraw consent as easily as giving it (cookie settings link or floating button expected)

Warnings5

Google Tag Manager2 findingsID tracked

www.googletagmanager.com

warningNetworkTag ManagementGoogle Tag Manager

Google Tag Manager (Google) loaded before consent: Loads the GTM container which may trigger other tags

ID: GTM-5HCKFCHost: www.googletagmanager.comFired: 503ms after load

warningGTMTag ManagementGoogle Tag Manager

GTM loaded before consent banner — IP address transmitted to Google pre-consent (container: GTM-5HCKFC)

warningStorage

sessionStorage key "lang" written before consent

Key: langType: sessionStorageFired: 2778ms after load

warningStorage

sessionStorage key "kahoot-controller-params" written before consent

Key: kahoot-controller-paramsType: sessionStorageFired: 2807ms after load

warningStorage

localStorage key "splitTool" written before consent

Key: splitToolType: localStorageFired: 3597ms after load

Info4

infoNetworkConsent MgmtOneTrust CMP

OneTrust CMP (OneTrust) loaded before consent: OneTrust geo-lookup — determines which consent banner to show based on user location

Host: geolocation.onetrust.comFired: 1019ms after load

infoNetworkAnalyticsSentry

Sentry (Sentry) loaded before consent: Sentry error reporting endpoint

Host: sentry.ioFired: 2796ms after load

OneTrust2 findings

OptanonAlertBoxClosed, OptanonConsent

infoCookieConsent MgmtOneTrust

OneTrust cookie "OptanonAlertBoxClosed" set before consent

Cookie: OptanonAlertBoxClosedDomain: .kahoot.it

infoCookieConsent MgmtOneTrust

OneTrust cookie "OptanonConsent" set before consent

Cookie: OptanonConsentDomain: .kahoot.it

Compliant1

CompliantCookieAnalyticsAmplitude

Amplitude cookie "amp_1ecbdc_kahoot.it" set correctly after consent

Cookie: amp_1ecbdc_kahoot.itDomain: .kahoot.itRetention: 1 year

Is this your site?

Run a full multi-page scan with monitoring and get detailed remediation steps

Scan kahoot.it →

This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com