Next Cookie Compliance Report

next.co.uk

Compare

https://next.co.uk

Scanned Apr 17, 2026 · 44.8s

Your website score is

0/100

Critical

Grade

BannerConsent Banner

Yes

Regulatory Compliance

Multi-regulation overview — click any regulation for details

Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.

Tag Leak detected 29 user data leaks before consent on next.co.uk, including GA4, Google Ads, Exponea.

Security Headers

1/6 present

Strict-Transport-Security

Add HSTS header to enforce HTTPS connections and prevent downgrade attacks

Content-Security-Policy

frame-ancestors 'self' iguidewebapp.next-uk.next.loc/ end-duws02.next-uk.next.loc/ end-dpws02.next-uk.next.loc/ studio.mgmt.qa.test/ studio.mgmt.next-uk.next.loc/

X-Frame-Options

Add X-Frame-Options header to prevent clickjacking attacks

X-Content-Type-Options

Set X-Content-Type-Options to 'nosniff' to prevent MIME type sniffing

Referrer-Policy

Set a Referrer-Policy header to control how much referrer information is shared

Permissions-Policy

Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation

Google Consent Mode

70/100

GTM Containers:GTM-KMS4Q5KGTM-NH5BXR6GTM-K4GHT9VGTM-KD3K4RZ9GTM-P4JTK54GTM-MGVRZFGGTM-5CNGS3MGTM-5MNFGJFHGTM-5WZ5PXLGTM-WRTPJK9

Consent Parameters

ParameterDefaultUpdated

Ad Storagenot_setgranted

Ad User Datanot_setgranted

Ad Personalizationnot_setgranted

Analytics Storagenot_setgranted

Functionality Storagenot_setnot_set

Personalization Storagenot_setnot_set

Security Storagenot_setnot_set

Issues (1)

No default consent call detected — consent mode may not be initialised correctly

Post-Rejection Audit

Reject Button

Found

Post-Rejection Fires

1 vendor

Consent Mode

Advanced

GTM Load

670ms pre-consent

Google Tag Manager(GTM-KMS4Q5K)

Loaded 670ms after page load — before the consent banner was detected (banner appeared at 8658ms). Per a 2022 German court ruling, GTM itself transmits the user's IP to Google pre-consent.

Consent Mode V2: Advanced

Advanced Consent Mode — consent update call fires on rejection and tracking stops correctly.

✓ gtag('consent', 'update') call detected on rejection

Vendors firing after rejection (1)

Vendor	Category	Timing	URL
Google — GA4	analytics	26581ms	region1.google-analytics.com

Consent Record Audit

Issues detected

Consent record stored after interaction

GDPR Art. 7(1)

Found: OptanonConsent (OneTrust)

Record contains timestamp

Art. 7(1)

Timestamp field detected

Record contains consent state

Art. 7(1)

Accept/reject state detected

Record contains consent categories

Art. 7(1)

Consent categories (analytics, marketing, etc.) not found in record

Consent withdrawal mechanism accessible

GDPR Art. 7(3)

No way for users to withdraw consent found on page

No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.

Why this matters

Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.

Tracker categories detected

Advertising7 vendors

Analytics6 vendors

Marketing10 vendors

Security5

Functional3 vendors

Tag Management1 vendor

Critical7

Data was transmitted to a third-party or storage was written on the user’s device before consent. This is a GDPR/ePrivacy violation, not just a script load.

criticalNetworkAnalyticsGA4

GA4 (Google) loaded before consent: Sends pageview and event data to Google Analytics

ID: G-86YHTTW9QYHost: region1.google-analytics.comFired: 5018ms after load

Google Ads2 findings

pagead2.googlesyndication.com, ade.googlesyndication.com

criticalNetworkAdvertisingGoogle Ads

Google Ads (Google) loaded before consent: Google ad syndication and remarketing

Host: pagead2.googlesyndication.comFired: 5018ms after load

criticalNetworkAdvertisingGoogle Ads

Google Ads (Google) loaded before consent: Google ad syndication and remarketing

Host: ade.googlesyndication.comFired: 5018ms after load

Exponea2 findings

__exponea_etc__, __exponea_time2__

criticalCookieMarketingExponea

Exponea cookie "__exponea_etc__" set before consent — Exponea Bloomreach Engagement - This cookie is used to determine which products the visitor has viewed. This information is used to promote related products and optimize ad-efficiency.

Cookie: __exponea_etc__Domain: .next.co.ukRetention: 3 years

criticalCookieMarketingExponea

Exponea cookie "__exponea_time2__" set before consent — Exponea Bloomreach Engagement - This cookie is used to determine which products the visitor has viewed. This information is used to promote related products and optimize ad-efficiency.

Cookie: __exponea_time2__Domain: .next.co.ukRetention: 1 day

criticalPost-RejectionAnalyticsGoogle — GA4

Google — GA4 fires after user rejected consent

Fired: 26581ms after load

criticalConsent Record

No recognizable consent withdrawal mechanism detected — GDPR Article 7(3) requires users can withdraw consent as easily as giving it (cookie settings link or floating button expected)

Warnings24

A tag container or script loaded before consent but tags appear correctly gated (e.g. GTM with Consent Mode v2). Not a violation on its own — review to confirm downstream tags stay blocked.

Google Tag Manager2 findingsID tracked

www.googletagmanager.com

warningNetworkTag ManagementGoogle Tag Manager

Google Tag Manager loads before consent — this is expected and required for GCM v2 to initialise consent defaults before any tags fire

ID: GTM-KMS4Q5KHost: www.googletagmanager.comFired: 555ms after load

warningGTMTag ManagementGoogle Tag Manager

GTM loaded before consent banner — IP address transmitted to Google pre-consent (container: GTM-KMS4Q5K)

warningNetwork

Google Tag Manager loads before consent — this is expected and required for GCM v2 to initialise consent defaults before any tags fire

ID: GTM-NH5BXR6Host: www.googletagmanager.comFired: 3083ms after load

warningNetwork

Unknown third-party request to static.queue-it.net before consent

Host: static.queue-it.netFired: 206ms after load

warningNetwork

Unknown third-party request to assets.queue-it.net before consent

Host: assets.queue-it.netFired: 407ms after load

warningNetwork

Unknown third-party request to next.queue-it.net before consent

Host: next.queue-it.netFired: 1856ms after load

warningStorage

localStorage key "__exponea_storage_test__" written before consent

Key: __exponea_storage_test__Type: localStorageFired: 1052ms after load

warningStorage

localStorage key "__exponea_last_session_start_timestamp__" written before consent

Key: __exponea_last_session_start_timestamp__Type: localStorageFired: 1118ms after load

warningStorage

localStorage key "__exponea_last_session_ping_timestamp__" written before consent

Key: __exponea_last_session_ping_timestamp__Type: localStorageFired: 1119ms after load

warningStorage

localStorage key "__storage_test_sample__" written before consent

Key: __storage_test_sample__Type: localStorageFired: 1122ms after load

warningStorage

localStorage key "__tmp_localstoragetest" written before consent

Key: __tmp_localstoragetestType: localStorageFired: 1235ms after load

warningStorage

localStorage key "_tmptest" written before consent

Key: _tmptestType: localStorageFired: 1264ms after load

warningStorage

localStorage key "dummy" written before consent

Key: dummyType: localStorageFired: 1679ms after load

warningStorage

localStorage key "ak_a" written before consent

Key: ak_aType: localStorageFired: 1777ms after load

warningStorage

localStorage key "__akfp_storage_test__" written before consent

Key: __akfp_storage_test__Type: localStorageFired: 2166ms after load

warningStorage

sessionStorage key "__exponea_tracking_definition__" written before consent

Key: __exponea_tracking_definition__Type: sessionStorageFired: 2810ms after load

warningStorage

localStorage key "BR:CLARITY_WEBLAYER" written before consent

Key: BR:CLARITY_WEBLAYERType: localStorageFired: 2820ms after load

warningStorage

localStorage key "__clarity_last_session_start_timestamp__" written before consent

Key: __clarity_last_session_start_timestamp__Type: localStorageFired: 2822ms after load

warningStorage

sessionStorage key "test" written before consent

Key: testType: sessionStorageFired: 4560ms after load

warningStorage

localStorage key "favouriteCacheVersion" written before consent

Key: favouriteCacheVersionType: localStorageFired: 4560ms after load

warningStorage

localStorage key "VisitedPages" written before consent

Key: VisitedPagesType: localStorageFired: 4648ms after load

warningStorage

sessionStorage key "RPID" written before consent

Key: RPIDType: sessionStorageFired: 4825ms after load

warningStorage

sessionStorage key "NextFavourites:HasFavouriteItems" written before consent

Key: NextFavourites:HasFavouriteItemsType: sessionStorageFired: 4827ms after load

warningStorage

sessionStorage key "ak_bm_tab_id" written before consent

Key: ak_bm_tab_idType: sessionStorageFired: 7789ms after load

Info7

Neutral observations — activity we detected that isn’t a violation but is useful context (e.g. essential cookies, CMP initialisation).

OneTrust2 findings

cdn.cookielaw.org, OptanonConsent

infoNetworkConsent MgmtOneTrust

OneTrust (OneTrust) loaded before consent: OneTrust cookie consent management

Host: cdn.cookielaw.orgFired: 202ms after load

infoCookieConsent MgmtOneTrust

OneTrust cookie "OptanonConsent" set before consent

Cookie: OptanonConsentDomain: .next.co.uk

infoNetworkConsent MgmtOneTrust CMP

OneTrust CMP (OneTrust) loaded before consent: OneTrust geo-lookup — determines which consent banner to show based on user location

Host: geolocation.onetrust.comFired: 416ms after load

infoCookieFunctionalCitrix

Citrix cookie "NSC_JObpvvqlbx0xcdzbrn3bnhbgejhupbq" set before consent — This cookie name is associated with the Netscaler load balancing service from Citrix. This is a pattern type cookie with the root being NSC_ and the rest of the name being a unique encrypted alpha numeric identifier for the virtual server it originated from. The cookie is used to ensure traffic and user data is routed to the correct locations where a site is hosted on multiple servers, so that the end user has a consistent experience.

Cookie: NSC_JObpvvqlbx0xcdzbrn3bnhbgejhupbqDomain: www.next.co.ukRetention: 12 hours

infoCookieFunctional

Akamai bot manager — necessary for site protection

Cookie: _abckDomain: .next.co.uk

infoCookieFunctional

Akamai bot management session — necessary for site protection

Cookie: ak_bmscDomain: .next.co.uk

infoCookieFunctional

.NET session identifier — necessary for site operation

Cookie: ASP.NET_SessionIdDomain: www.next.co.uk

Compliant56

Tags that fired only after the user gave consent — working as intended.

Microsoft Clarity3 findingsID tracked

www.clarity.ms, scripts.clarity.ms, i.clarity.ms

CompliantNetworkAnalyticsMicrosoft Clarity

Microsoft Clarity (Microsoft) loaded correctly after consent

ID: u1ub3gvkolHost: www.clarity.msFired: 4118ms after load

CompliantNetworkAnalyticsMicrosoft Clarity

Microsoft Clarity (Microsoft) loaded correctly after consent

Host: scripts.clarity.msFired: 4829ms after load

CompliantNetworkAnalyticsMicrosoft Clarity

Microsoft Clarity (Microsoft) loaded correctly after consent

Host: i.clarity.msFired: 6596ms after load

TikTok Pixel6 findingsID tracked

analytics.tiktok.com, _ttp, _tt_enable_cookie, tt_sessionId, tt_appInfo, tt_pixel_session_index

CompliantNetworkAdvertisingTikTok Pixel

TikTok Pixel (TikTok) loaded correctly after consent

ID: C0VO58H5A0R73RNS8PEGHost: analytics.tiktok.comFired: 4600ms after load

CompliantCookieAdvertisingTikTok Pixel

TikTok Pixel cookie "_ttp" set correctly after consent

Cookie: _ttpDomain: .tiktok.com

CompliantCookieAdvertisingTikTok Pixel

TikTok Pixel cookie "_tt_enable_cookie" set correctly after consent

Cookie: _tt_enable_cookieDomain: .next.co.uk

CompliantStorageAdvertisingTikTok Pixel

TikTok Pixel (TikTok) wrote "tt_sessionId" to sessionStorage correctly after consent

Key: tt_sessionIdType: sessionStorageFired: -21785ms after load

CompliantStorageAdvertisingTikTok Pixel

TikTok Pixel (TikTok) wrote "tt_appInfo" to sessionStorage correctly after consent

Key: tt_appInfoType: sessionStorageFired: -21760ms after load

CompliantStorageAdvertisingTikTok Pixel

TikTok Pixel (TikTok) wrote "tt_pixel_session_index" to sessionStorage correctly after consent

Key: tt_pixel_session_indexType: sessionStorageFired: -21747ms after load

Google Analytics3 findingsID tracked

region1.analytics.google.com, _ga_0MCQTK8RLH, _ga

CompliantNetworkAnalyticsGA4

GA4 (Google) loaded correctly after consent

ID: G-86YHTTW9QYHost: region1.analytics.google.comFired: 6456ms after load

CompliantCookieAnalyticsGoogle Analytics

Google Analytics cookie "_ga_0MCQTK8RLH" set correctly after consent

Cookie: _ga_0MCQTK8RLHDomain: .next.co.uk

CompliantCookieAnalyticsGoogle Analytics

Google Analytics cookie "_ga" set correctly after consent

Cookie: _gaDomain: .next.co.uk

Pinterest Tag3 findingsID tracked

ct.pinterest.com, s.pinimg.com, _pin_unauth

CompliantNetworkAdvertisingPinterest Tag

Pinterest Tag (Pinterest) loaded correctly after consent

ID: 2612571855386Host: ct.pinterest.comFired: 6633ms after load

CompliantNetworkAdvertisingPinterest Tag

Pinterest Tag (Pinterest) loaded correctly after consent

Host: s.pinimg.comFired: 4600ms after load

CompliantCookieAdvertisingPinterest Tag

Pinterest Tag cookie "_pin_unauth" set correctly after consent

Cookie: _pin_unauthDomain: .next.co.uk

Google Ads5 findings

www.google.com, googleads.g.doubleclick.net, pagead2.googlesyndication.com, _gcl_au, _gcl_ls

CompliantNetworkAdvertisingGoogle Ads

Google Ads (Google) loaded correctly after consent

Host: www.google.comFired: 3367ms after load

CompliantNetworkAdvertisingGoogle Ads

Google Ads (Google) loaded correctly after consent

Host: googleads.g.doubleclick.netFired: 3601ms after load

CompliantNetworkAdvertisingGoogle Ads

Google Ads (Google) loaded correctly after consent

Host: pagead2.googlesyndication.comFired: 6119ms after load

CompliantCookieAdvertisingGoogle Ads

Google Ads cookie "_gcl_au" set correctly after consent

Cookie: _gcl_auDomain: .next.co.uk

CompliantStorageAdvertisingGoogle Ads

Google Ads (Google) wrote "_gcl_ls" to localStorage correctly after consent

Key: _gcl_lsType: localStorageFired: 3276ms after load

Meta Pixel2 findings

connect.facebook.net, _fbp

CompliantNetworkAdvertisingMeta Pixel

Meta Pixel (Meta) loaded correctly after consent

Host: connect.facebook.netFired: 4602ms after load

CompliantCookieAdvertisingMeta Pixel

Meta Pixel cookie "_fbp" set correctly after consent

Cookie: _fbpDomain: .next.co.uk

Snapchat Pixel4 findings

sc-static.net, tr.snapchat.com, _scid, _scid_r

CompliantNetworkAdvertisingSnapchat Pixel

Snapchat Pixel (Snapchat) loaded correctly after consent

Host: sc-static.netFired: 4603ms after load

CompliantNetworkAdvertisingSnapchat Pixel

Snapchat Pixel (Snapchat) loaded correctly after consent

Host: tr.snapchat.comFired: 6487ms after load

CompliantCookieAdvertisingSnapchat Pixel

Snapchat Pixel cookie "_scid" set correctly after consent

Cookie: _scidDomain: .next.co.uk

CompliantCookieAdvertisingSnapchat Pixel

Snapchat Pixel cookie "_scid_r" set correctly after consent

Cookie: _scid_rDomain: .next.co.uk

Taboola5 findings

cdn.taboola.com, trc.taboola.com, taboola_session_id, t_gid, t_pt_gid

CompliantNetworkAdvertisingTaboola

Taboola (Taboola) loaded correctly after consent

Host: cdn.taboola.comFired: 4622ms after load

CompliantNetworkAdvertisingTaboola

Taboola (Taboola) loaded correctly after consent

Host: trc.taboola.comFired: 5936ms after load

CompliantCookieMarketingTaboola

Taboola cookie "taboola_session_id" set correctly after consent

Cookie: taboola_session_idDomain: .taboola.comRetention: Session

CompliantCookieMarketingTaboola

Taboola cookie "t_gid" set correctly after consent

Cookie: t_gidDomain: .taboola.comRetention: 13 months

CompliantCookieFunctionalTaboola

Taboola cookie "t_pt_gid" set correctly after consent

Cookie: t_pt_gidDomain: .taboola.comRetention: 1 Year

Snapchat2 findings

X-AB, sc_at

CompliantCookieFunctionalSnapchat

Snapchat cookie "X-AB" set correctly after consent

Cookie: X-ABDomain: sc-static.netRetention: 1 day

CompliantCookieMarketingSnapchat

Snapchat cookie "sc_at" set correctly after consent

Cookie: sc_atDomain: .snapchat.comRetention: 1 year

CompliantCookieConsent MgmtOneTrust

OneTrust cookie "OptanonAlertBoxClosed" set correctly after consent

Cookie: OptanonAlertBoxClosedDomain: .next.co.uk