Marriott

marriott.com

Compare

https://marriott.com

Scanned Apr 15, 2026 · 32.5s

Your website score is

0/100
Critical

Grade

F0

Banner

No

Regulatory Compliance

Multi-regulation overview — click any regulation for details

Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.

Tag Leak detected 31 user data leaks before consent on marriott.com, including Adobe (Tracker Tracker), Instagram, Dynatrace and 2 more.

Security Headers

2/6 present

Strict-Transport-Security

max-age=86400 ; includeSubDomains

Content-Security-Policy

Add a Content-Security-Policy header to prevent XSS and code injection attacks

X-Frame-Options

SAMEORIGIN

X-Content-Type-Options

Set X-Content-Type-Options to 'nosniff' to prevent MIME type sniffing

Referrer-Policy

Set a Referrer-Policy header to control how much referrer information is shared

Permissions-Policy

Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation

Google Consent Mode

Not Detected

Google Consent Mode v2 was not found on this page. GCM v2 allows Google's tags to adjust their behavior based on user consent, and is required for compliant advertising measurement in the EU. Without it, your Google Ads and GA4 conversions may be impacted after consent is declined.

Post-Rejection Audit

Reject Button

Found

Post-Rejection Fires

4 vendors

Consent Mode

Not Detected

GTM Load

Not detected

Consent Mode V2: Not Detected

Google Consent Mode was not detected on this site.

Vendors firing after rejection (4)

VendorCategoryTimingURL
Google — Google Adsadvertising17406mswww.google.com
Google — Google Adsadvertising17478mswww.googleadservices.com
Google — Google Adsadvertising17701msgoogleads.g.doubleclick.net
FullStory — FullStoryanalytics19662msrs.fullstory.com

Consent Record Audit

Pass

Consent record stored after interaction

GDPR Art. 7(1)

Found: OptanonConsent (OneTrust)

Record contains timestamp

Art. 7(1)

Timestamp field detected

Record contains consent state

Art. 7(1)

Accept/reject state detected

Record contains consent categories

Art. 7(1)

Consent categories (analytics, marketing, etc.) not found in record

Consent withdrawal mechanism accessible

GDPR Art. 7(3)

Cookie settings link / floating button found

Consent record and withdrawal mechanism are both correctly implemented

Tracker categories detected

Advertising1 vendor
Analytics3 vendors
Marketing2 vendors
Security4
Functional1 vendor
Critical12
Adobe (Tracker Tracker)
criticalNetworkAdobe (Tracker Tracker)

Adobe (tracker) loaded before consent

Host: adobedc.demdex.netFired: 803ms after load
Instagram
criticalCookieMarketingInstagram

Instagram cookie "sessionID" set before consent — This is a performance cookie used to collect data about people logging in and out of the website.

Cookie: sessionIDDomain: www.marriott.comRetention: 1 year
Dynatrace
Dynatrace5 findings

dtCookie, rxVisitor, dtSa, rxvt, dtPC

Dynatrace
criticalCookieAnalyticsDynatrace

Dynatrace cookie "dtCookie" set before consent — This cookie is used by RUM API, Dynatrace Real User Monitoring (RUM) gives you the power to know your customers by providing performance analysis in real time.

Cookie: dtCookieDomain: .marriott.comRetention: Session
Dynatrace
criticalCookieAnalyticsDynatrace

Dynatrace cookie "rxVisitor" set before consent — This cookie is used by RUM API, Dynatrace Real User Monitoring (RUM) gives you the power to know your customers by providing performance analysis in real time.

Cookie: rxVisitorDomain: .marriott.comRetention: Session
Dynatrace
criticalCookieAnalyticsDynatrace

Dynatrace cookie "dtSa" set before consent — This cookie is used by RUM API, Dynatrace Real User Monitoring (RUM) gives you the power to know your customers by providing performance analysis in real time.

Cookie: dtSaDomain: .marriott.comRetention: Session
Dynatrace
criticalCookieAnalyticsDynatrace

Dynatrace cookie "rxvt" set before consent — This cookie is used by RUM API, Dynatrace Real User Monitoring (RUM) gives you the power to know your customers by providing performance analysis in real time.

Cookie: rxvtDomain: .marriott.comRetention: Session
Dynatrace
criticalCookieAnalyticsDynatrace

Dynatrace cookie "dtPC" set before consent — This cookie is used by RUM API, Dynatrace Real User Monitoring (RUM) gives you the power to know your customers by providing performance analysis in real time.

Cookie: dtPCDomain: .marriott.comRetention: Session
Adobe Audience Manager
criticalCookieMarketingAdobe Audience Manager

Adobe Audience Manager cookie "demdex" set before consent — Unique value with which Audience Manager can identify a user. Used, among others, for identification, segmentation, modeling and reporting purposes.

Cookie: demdexDomain: .demdex.netRetention: 180 days after last activity or 10 years when opting out
Adobe Analytics
criticalCookieAnalyticsAdobe Analytics

Adobe Analytics cookie "AMCV_664516D751E565010A490D4C%40AdobeOrg" set before consent

Cookie: AMCV_664516D751E565010A490D4C%40AdobeOrgDomain: .marriott.com
Google — Google Ads
criticalPost-RejectionAdvertisingGoogle — Google Ads

Google — Google Ads fires after user rejected consent

Fired: 17406ms after load
FullStory — FullStory
criticalPost-RejectionAnalyticsFullStory — FullStory

FullStory — FullStory fires after user rejected consent

Fired: 19662ms after load
criticalNetwork

No consent banner detected — all cookies and tags fire without user consent

Warnings21
vendor logo
warningNetwork

Unknown third-party request to assets.adobedtm.com before consent

Host: assets.adobedtm.comFired: 457ms after load
warningStorage

sessionStorage key "com.adobe.reactor.core.visitorTracking.landingPage" written before consent

Key: com.adobe.reactor.core.visitorTracking.landingPageType: sessionStorageFired: 735ms after load
warningStorage

sessionStorage key "com.adobe.reactor.core.visitorTracking.trafficSource" written before consent

Key: com.adobe.reactor.core.visitorTracking.trafficSourceType: sessionStorageFired: 736ms after load
warningStorage

localStorage key "previous_page" written before consent

Key: previous_pageType: localStorageFired: 766ms after load
warningStorage

sessionStorage key "loggedInStatus" written before consent

Key: loggedInStatusType: sessionStorageFired: 768ms after load
warningStorage

localStorage key "dummy" written before consent

Key: dummyType: localStorageFired: 892ms after load
warningStorage

localStorage key "ak_a" written before consent

Key: ak_aType: localStorageFired: 1011ms after load
warningStorage

localStorage key "com.adobe.alloy.664516D751E565010A490D4C_AdobeOrg.consentHashes.Adobe.1.0" written before consent

Key: com.adobe.alloy.664516D751E565010A490D4C_AdobeOrg.consentHashes.Adobe.1.0Type: localStorageFired: 1343ms after load
warningStorage

sessionStorage key "oldDataLayer" written before consent

Key: oldDataLayerType: sessionStorageFired: 1345ms after load
warningStorage

sessionStorage key "oldMvpOffers" written before consent

Key: oldMvpOffersType: sessionStorageFired: 1345ms after load
warningStorage

sessionStorage key "mi-global-data" written before consent

Key: mi-global-dataType: sessionStorageFired: 2959ms after load
warningStorage

sessionStorage key "rxVisitor" written before consent

Key: rxVisitorType: sessionStorageFired: 3693ms after load
warningStorage

sessionStorage key "rxvisitid" written before consent

Key: rxvisitidType: sessionStorageFired: 3694ms after load
warningStorage

sessionStorage key "rxvt" written before consent

Key: rxvtType: sessionStorageFired: 3696ms after load
warningStorage

sessionStorage key "dtSa" written before consent

Key: dtSaType: sessionStorageFired: 3708ms after load
warningStorage

localStorage key "dtCFG_sy2d3jns_220110cf75551a30" written before consent

Key: dtCFG_sy2d3jns_220110cf75551a30Type: localStorageFired: 3723ms after load
warningStorage

sessionStorage key "dtTAB_sy2d3jns" written before consent

Key: dtTAB_sy2d3jnsType: sessionStorageFired: 3724ms after load
warningStorage

localStorage key "mi-session-store" written before consent

Key: mi-session-storeType: localStorageFired: 3886ms after load
warningStorage

sessionStorage key "dtCookie" written before consent

Key: dtCookieType: sessionStorageFired: 5923ms after load
warningStorage

sessionStorage key "qualtricssessionstoragetestkey" written before consent

Key: qualtricssessionstoragetestkeyType: sessionStorageFired: 6004ms after load
warningStorage

sessionStorage key "QSI_HistorySession" written before consent

Key: QSI_HistorySessionType: sessionStorageFired: 6187ms after load
Info7
Dynatrace (Cdn)
infoNetworkDynatrace (Cdn)

Dynatrace (cdn) loaded before consent

Host: js-cdn.dynatrace.comFired: 813ms after load
Akamai (Cdn)
infoNetworkAkamai (Cdn)

Akamai (cdn) loaded before consent

Host: p11.techlab-cdn.comFired: 1196ms after load
Qualtrics (Cdn)
Qualtrics (Cdn)2 findings

zn1mdx3zmq39jkigz-marriott.siteintercept.qualtrics.com, siteintercept.qualtrics.com

Qualtrics (Cdn)
infoNetworkQualtrics (Cdn)

Qualtrics (cdn) loaded before consent

Host: zn1mdx3zmq39jkigz-marriott.siteintercept.qualtrics.comFired: 5070ms after load
Qualtrics (Cdn)
infoNetworkQualtrics (Cdn)

Qualtrics (cdn) loaded before consent

Host: siteintercept.qualtrics.comFired: 5622ms after load
Akamai
infoCookieFunctionalAkamai

Akamai cookie "AKA_A2" set before consent — Used for Akamai's Advanced Acceleration feature, intended to improve web performance

Cookie: AKA_A2Domain: .marriott.comRetention: 1 hour or longer
infoCookieFunctional

Akamai bot manager — necessary for site protection

Cookie: _abckDomain: .marriott.com
infoCookieFunctional

Akamai bot management session — necessary for site protection

Cookie: ak_bmscDomain: .marriott.com

Is this your site?

Run a full multi-page scan with monitoring and get detailed remediation steps

Scan marriott.com

This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com