Merrill Lynch Cookie Compliance Report

Merrill Lynch

ml.com

Compare

https://ml.com

Scanned Apr 15, 2026 · 36.2s

Your website score is

0/100

Critical

Grade

BannerConsent Banner

Yes

Regulatory Compliance

Multi-regulation overview — click any regulation for details

Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.

Tag Leak detected 45 user data leaks before consent on ml.com, including Tealium (Tracker Tracker), Advertising Tracker, GA4 and 8 more.

Security Headers

2/6 present

Strict-Transport-Security

max-age=31536000;includeSubDomains

Content-Security-Policy

default-src 'self' *.ml.com *.bankofamerica.com *.bofa.com *.bac-assets.com 1359940.fls.doubleclick.net ad.doubleclick.net adservice.google.com www.glancecdn.net storage.glancecdn.net www.glance.net bofa-prod-presence-1.glance.net bofa-prod-presence-2.glance.net bofa-prod-presence-3.glance.net bofa-prod-presence-4.glance.net bofa-prod-presence-5.glance.net bofa-prod-presence-6.glance.net bofa-prod-presence-7.glance.net bofa-prod-presence-8.glance.net bofa-prod-presence-9.glance.net cobrowse-location.glance.net session-a-1.glance.net session-a-2.glance.net session-a-3.glance.net session-a-4.glance.net session-a-5.glance.net session-a-6.glance.net session-a-7.glance.net session-a-8.glance.net session-a-9.glance.net visitor-cam-aws.glance.net lb-video.glance.net prod-video-a-1.glance.net prod-video-a-2.glance.net prod-video-a-3.glance.net prod-video-a-4.glance.net prod-video-a-5.glance.net prod-video-a-6.glance.net prod-video-a-7.glance.net prod-video-a-8.glance.net prod-video-a-9.glance.net cfvod.kaltura.com d.agkn.com geolocation.onetrust.com platform.linkedin.com platform.twitter.com privacyportal-bofa.my.onetrust.com px.marchex.io snc.marchex.io stats.g.doubleclick.net td.doubleclick.net testdata.coremetrics.com units.knotch.it www.dianomi.com www.google.co.in www.google.com www.googleadservices.com www.googletagmanager.com www.knotch-cdn.com beplic.epsilon.com ct.pinterest.com s.pinimg.com www.redditstatic.com pixel-config.reddit.com alb.reddit.com conversions-config.reddit.com tr.snapchat.com data: blob: wss: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' *.ml.com *.bankofamerica.com *.bofa.com *.bac-assets.com www.googletagmanager.com www.knotch-cdn.com beplic.epsilon.com glance.net beta.glancecdn.net storage.glancecdn.net www.glancecdn.net glancecdn.net cdnstorage.myglance.net cdn-bofa.myglance.net analytics.kaltura.com cdn.cookielaw.org cdnapisec.kaltura.com rw.marchex.io tags.tiqcdn.com www.google-analytics.com www.googleapis.com ct.pinterest.com s.pinimg.com www.redditstatic.com pixel-config.reddit.com alb.reddit.com conversions-config.reddit.com tr.snapchat.com blob: wss: 'unsafe-inline' 'unsafe-eval'; style-src 'self' *.ml.com *.bankofamerica.com *.bofa.com *.bac-assets.com www.googletagmanager.com www.knotch-cdn.com beplic.epsilon.com glance.net beta.glancecdn.net storage.glancecdn.net www.glancecdn.net glancecdn.net cdnstorage.myglance.net cdn-bofa.myglance.net www.redditstatic.com pixel-config.reddit.com alb.reddit.com conversions-config.reddit.com tr.snapchat.com 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self' *.ml.com *.bac-assets.com *.bankofamerica.com www.glance.net ; worker-src 'self' blob:;

X-Frame-Options

Add X-Frame-Options header to prevent clickjacking attacks

X-Content-Type-Options

Set X-Content-Type-Options to 'nosniff' to prevent MIME type sniffing

Referrer-Policy

Set a Referrer-Policy header to control how much referrer information is shared

Permissions-Policy

Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation

Google Consent Mode

Not Detected

Google Consent Mode v2 was not found on this page. GCM v2 allows Google's tags to adjust their behavior based on user consent, and is required for compliant advertising measurement in the EU. Without it, your Google Ads and GA4 conversions may be impacted after consent is declined.

Post-Rejection Audit

Reject Button

Found

Post-Rejection Fires

0 vendors

Consent Mode

Not Detected

GTM Load

Not detected

Consent Mode V2: Not Detected

Google Consent Mode was not detected on this site.

No tracking vendors detected firing after rejection

Consent Record Audit

Issues detected

Consent record stored after interaction

GDPR Art. 7(1)

Found: OptanonConsent (OneTrust)

Record contains timestamp

Art. 7(1)

Timestamp field detected

Record contains consent state

Art. 7(1)

Accept/reject state detected

Record contains consent categories

Art. 7(1)

Consent categories (analytics, marketing, etc.) not found in record

Consent withdrawal mechanism accessible

GDPR Art. 7(3)

No way for users to withdraw consent found on page

No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.

Why this matters

Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.

Tracker categories detected

Advertising2 vendors

Analytics3 vendors

Marketing3 vendors

Security4

Functional1 vendor

Critical24

Google Analytics6 findingsID tracked

region1.google-analytics.com, www.google-analytics.com, www.googletagmanager.com, _ga_YKQNXHD8CB, _ga, FPID

criticalNetworkAnalyticsGA4

GA4 (Google) loaded before consent: Sends pageview and event data to Google Analytics

ID: G-YKQNXHD8CBHost: region1.google-analytics.comFired: 3362ms after load

criticalNetworkAnalyticsGA4

GA4 (Google) loaded before consent: Sends pageview and event data to Google Analytics

Host: www.google-analytics.comFired: 2835ms after load

criticalNetworkAnalyticsGA4

GA4 (Google) loaded before consent: Google Analytics gtag.js library

Host: www.googletagmanager.comFired: 2837ms after load

criticalCookieAnalyticsGoogle Analytics

Google Analytics cookie "_ga_YKQNXHD8CB" set before consent

Cookie: _ga_YKQNXHD8CBDomain: .ml.com

criticalCookieAnalyticsGoogle Analytics

Google Analytics cookie "_ga" set before consent

Cookie: _gaDomain: .ml.com

criticalCookieAnalyticsGoogle Analytics

Google Analytics cookie "FPID" set before consent — Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.

Cookie: FPIDDomain: .ml.comRetention: session

criticalNetworkTealium (Tracker Tracker)

Tealium (tracker) loaded before consent

Host: tags.tiqcdn.comFired: 1701ms after load

Advertising Tracker6 findings

www.knotch-cdn.com, glassbox-hlx-igw.bankofamerica.com, tilt.bankofamerica.com, td.doubleclick.net, smetrics.bankofamerica.com, units.knotch.it