Novartis

novartis.com

Compare

https://novartis.com

Scanned Apr 15, 2026 · 33.1s

Your website score is

0/100
Critical

Grade

F0

Banner

Yes

Regulatory Compliance

Multi-regulation overview — click any regulation for details

Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.

Tag Leak detected 34 user data leaks before consent on novartis.com, including LinkedIn Insight Tag, Crazy Egg, Meta Pixel and 8 more.

Security Headers

3/6 present

Strict-Transport-Security

max-age=31536000; includeSubDomains

Content-Security-Policy

Add a Content-Security-Policy header to prevent XSS and code injection attacks

X-Frame-Options

SAMEORIGIN

X-Content-Type-Options

nosniff

Referrer-Policy

Set a Referrer-Policy header to control how much referrer information is shared

Permissions-Policy

Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation

Google Consent Mode

Not Detected

Google Consent Mode v2 was not found on this page. GCM v2 allows Google's tags to adjust their behavior based on user consent, and is required for compliant advertising measurement in the EU. Without it, your Google Ads and GA4 conversions may be impacted after consent is declined.

GTM container detected (GTM-57RJQ5) but no consent mode initialisation found. Add gtag('consent', 'default', ...) before your GTM snippet.

Post-Rejection Audit

Reject Button

Found

Post-Rejection Fires

1 vendor

Consent Mode

Not Detected

GTM Load

427ms pre-consent

Google Tag Manager(GTM-57RJQ5)

Loaded 427ms after page load — before the consent banner was detected (banner appeared at 6865ms). Per a 2022 German court ruling, GTM itself transmits the user's IP to Google pre-consent.

Consent Mode V2: Not Detected

Google Consent Mode was not detected on this site.

Vendors firing after rejection (1)

VendorCategoryTimingURL
OneTrust — OneTrustconsent_management14013mscdn.cookielaw.org

Consent Record Audit

Pass

Consent record stored after interaction

GDPR Art. 7(1)

Found: OptanonConsent (OneTrust)

Record contains timestamp

Art. 7(1)

Timestamp field detected

Record contains consent state

Art. 7(1)

Accept/reject state detected

Record contains consent categories

Art. 7(1)

Consent categories (analytics, marketing, etc.) not found in record

Consent withdrawal mechanism accessible

GDPR Art. 7(3)

Cookie settings link / floating button found

Consent record and withdrawal mechanism are both correctly implemented

Tracker categories detected

Advertising5 vendors
Analytics5 vendors
Marketing2 vendors
Security3
Functional1 vendor
Tag Management1 vendor
Critical29
TikTok Pixel
TikTok Pixel6 findingsID tracked

analytics.tiktok.com, analytics-ipv6.tiktokw.us, _ttp, tt_sessionId, tt_appInfo, tt_pixel_session_index

TikTok Pixel
criticalNetworkAdvertisingTikTok Pixel

TikTok Pixel (TikTok) loaded before consent: Sends event data to TikTok for ad measurement

ID: D2ITMEJC77U067DPQGJGHost: analytics.tiktok.comFired: 985ms after load
TikTok Pixel
criticalNetworkAdvertisingTikTok Pixel

TikTok Pixel (TikTok) loaded before consent: TikTok Pixel IPv6 enrichment and data collection

Host: analytics-ipv6.tiktokw.usFired: 1813ms after load
TikTok Pixel
criticalCookieAdvertisingTikTok Pixel

TikTok Pixel cookie "_ttp" set before consent

Cookie: _ttpDomain: .tiktok.com
TikTok Pixel
criticalStorageAdvertisingTikTok Pixel

TikTok Pixel (TikTok) wrote "tt_sessionId" to sessionStorage before consent

Key: tt_sessionIdType: sessionStorageFired: 1766ms after load
TikTok Pixel
criticalStorageAdvertisingTikTok Pixel

TikTok Pixel (TikTok) wrote "tt_appInfo" to sessionStorage before consent

Key: tt_appInfoType: sessionStorageFired: 1777ms after load
TikTok Pixel
criticalStorageAdvertisingTikTok Pixel

TikTok Pixel (TikTok) wrote "tt_pixel_session_index" to sessionStorage before consent

Key: tt_pixel_session_indexType: sessionStorageFired: 1778ms after load
Twitter/X Pixel
Twitter/X Pixel2 findingsID tracked

t.co, static.ads-twitter.com

Twitter/X Pixel
criticalNetworkAdvertisingTwitter/X Pixel

Twitter/X Pixel (X (Twitter)) loaded before consent: Twitter/X ad conversion tracking endpoint

ID: twHost: t.coFired: 1217ms after load
Twitter/X Pixel
criticalNetworkAdvertisingTwitter/X Pixel

Twitter/X Pixel (X (Twitter)) loaded before consent: Loads Twitter/X conversion tracking script

Host: static.ads-twitter.comFired: 985ms after load
Google Analytics
Google Analytics3 findingsID tracked

region1.google-analytics.com, _ga, _ga_5TNTKL0CTV

GA4
criticalNetworkAnalyticsGA4

GA4 (Google) loaded before consent: Sends pageview and event data to Google Analytics

ID: G-5TNTKL0CTVHost: region1.google-analytics.comFired: 1360ms after load
Google Analytics
criticalCookieAnalyticsGoogle Analytics

Google Analytics cookie "_ga" set before consent

Cookie: _gaDomain: .novartis.com
Google Analytics
criticalCookieAnalyticsGoogle Analytics

Google Analytics cookie "_ga_5TNTKL0CTV" set before consent

Cookie: _ga_5TNTKL0CTVDomain: .novartis.com
Meta Pixel
Meta Pixel3 findingsID tracked

www.facebook.com, connect.facebook.net, _fbp

Meta Pixel
criticalNetworkAdvertisingMeta Pixel

Meta Pixel (Meta) loaded before consent: Meta Pixel tracking endpoint

ID: 1833101976931767Host: www.facebook.comFired: 1858ms after load
Meta Pixel
criticalNetworkAdvertisingMeta Pixel

Meta Pixel (Meta) loaded before consent: Sends user data to Meta for ad targeting and conversion tracking

Host: connect.facebook.netFired: 985ms after load
Meta Pixel
criticalCookieAdvertisingMeta Pixel

Meta Pixel cookie "_fbp" set before consent

Cookie: _fbpDomain: .novartis.com
LinkedIn Insight Tag
criticalNetworkAdvertisingLinkedIn Insight Tag

LinkedIn Insight Tag (LinkedIn) loaded before consent: Tracks conversions and enables LinkedIn audience targeting

Host: snap.licdn.comFired: 985ms after load
Crazy Egg
Crazy Egg4 findings

script.crazyegg.com, cebs, _ce.s, _ce.clock_data

Crazy Egg
criticalNetworkAnalyticsCrazy Egg

Crazy Egg (Crazy Egg) loaded before consent: Crazy Egg heatmap and scroll tracking

Host: script.crazyegg.comFired: 985ms after load
criticalCookieAnalyticsCrazy Egg

Crazy Egg cookie "cebs" set before consent — This cookie is used to track the current user session internally.

Cookie: cebsDomain: .novartis.comRetention: Session
criticalCookieAnalyticsCrazy Egg

Crazy Egg cookie "_ce.s" set before consent

Cookie: _ce.sDomain: .novartis.com
criticalCookieAnalyticsCrazy Egg

Crazy Egg cookie "_ce.clock_data" set before consent

Cookie: _ce.clock_dataDomain: .novartis.com
Google Ads
Google Ads3 findings

www.google.com, _gcl_au, _gcl_ls

Google Ads
criticalNetworkAdvertisingGoogle Ads

Google Ads (Google) loaded before consent: Google Consent Mode data collection for ad measurement

Host: www.google.comFired: 985ms after load
Google Ads
criticalCookieAdvertisingGoogle Ads

Google Ads cookie "_gcl_au" set before consent

Cookie: _gcl_auDomain: .novartis.com
Google Ads
criticalStorageAdvertisingGoogle Ads

Google Ads (Google) wrote "_gcl_ls" to localStorage before consent

Key: _gcl_lsType: localStorageFired: 853ms after load
Crazy Egg (Analytics Tracker)
Crazy Egg (Analytics Tracker)3 findings

tracking.crazyegg.com, pagestates-tracking.crazyegg.com, assets-tracking.crazyegg.com

Crazy Egg (Analytics Tracker)
criticalNetworkAnalyticsCrazy Egg (Analytics Tracker)

Crazy Egg (analytics) loaded before consent

Host: tracking.crazyegg.comFired: 1578ms after load
Crazy Egg (Analytics Tracker)
criticalNetworkAnalyticsCrazy Egg (Analytics Tracker)

Crazy Egg (analytics) loaded before consent

Host: pagestates-tracking.crazyegg.comFired: 1578ms after load
Crazy Egg (Analytics Tracker)
criticalNetworkAnalyticsCrazy Egg (Analytics Tracker)

Crazy Egg (analytics) loaded before consent

Host: assets-tracking.crazyegg.comFired: 1578ms after load
LinkedIn
LinkedIn2 findings

lidc, bcookie

LinkedIn
criticalCookieMarketingLinkedIn

LinkedIn cookie "lidc" set before consent — Used by the social networking service, LinkedIn, for tracking the use of embedded services.

Cookie: lidcDomain: .linkedin.comRetention: 1 day
LinkedIn
criticalCookieMarketingLinkedIn

LinkedIn cookie "bcookie" set before consent — Used by LinkedIn to track the use of embedded services.

Cookie: bcookieDomain: .linkedin.comRetention: 1 year
criticalCookieMarketingX

X cookie "personalization_id" set before consent — Unique value with which users can be identified by X. Collected information is used to be personalize X services, including X trends, stories, ads and suggestions.

Cookie: personalization_idDomain: .twitter.comRetention: 2 years
OneTrust — OneTrust
criticalPost-RejectionConsent MgmtOneTrust — OneTrust

OneTrust — OneTrust fires after user rejected consent

Fired: 14013ms after load
Warnings6
Google Tag Manager
Google Tag Manager2 findingsID tracked

www.googletagmanager.com

Google Tag Manager
warningNetworkTag ManagementGoogle Tag Manager

Google Tag Manager (Google) loaded before consent: Loads the GTM container which may trigger other tags

ID: GTM-57RJQ5Host: www.googletagmanager.comFired: 290ms after load
Google Tag Manager
warningGTMTag ManagementGoogle Tag Manager

GTM loaded before consent banner — IP address transmitted to Google pre-consent (container: GTM-57RJQ5)

Twitter (Social Tracker)
warningNetworkTwitter (Social Tracker)

Twitter (social) loaded before consent

ID: nzgy6Host: analytics.twitter.comFired: 1220ms after load
vendor logo
warningNetwork

Unknown third-party request to px.ads.linkedin.com before consent

Host: px.ads.linkedin.comFired: 1065ms after load
warningNetwork

Unknown third-party request to capi-automation.s3.us-east-2.amazonaws.com before consent

Host: capi-automation.s3.us-east-2.amazonaws.comFired: 2026ms after load
warningStorage

localStorage key "lastExternalReferrer" written before consent

Key: lastExternalReferrerType: localStorageFired: 1823ms after load
Info7
Cloudflare Web Analytics
infoNetworkAnalyticsCloudflare Web Analytics

Cloudflare Web Analytics (Cloudflare) loaded before consent: Cloudflare Web Analytics beacon — privacy-focused, no cookies

Host: static.cloudflareinsights.comFired: 173ms after load
OneTrust
OneTrust2 findings

cdn.cookielaw.org, OptanonConsent

OneTrust
infoNetworkConsent MgmtOneTrust

OneTrust (OneTrust) loaded before consent: OneTrust cookie consent management

Host: cdn.cookielaw.orgFired: 290ms after load
OneTrust
infoCookieConsent MgmtOneTrust

OneTrust cookie "OptanonConsent" set before consent

Cookie: OptanonConsentDomain: .novartis.com
Google (Cdn)
infoNetworkGoogle (Cdn)

Google (cdn) loaded before consent

Host: www.youtube.comFired: 609ms after load
OneTrust CMP
infoNetworkConsent MgmtOneTrust CMP

OneTrust CMP (OneTrust) loaded before consent: OneTrust geo-lookup — determines which consent banner to show based on user location

Host: geolocation.onetrust.comFired: 819ms after load
LinkedIn
infoCookieFunctionalLinkedIn

LinkedIn cookie "li_gc" set before consent — Used to store guest consent to the use of cookies for non-essential purposes

Cookie: li_gcDomain: .linkedin.comRetention: 2 years
infoCookieFunctional

Cloudflare bot management — necessary for site operation

Cookie: __cf_bmDomain: .novartis.com
Compliant2
OneTrust
CompliantCookieConsent MgmtOneTrust

OneTrust cookie "OptanonAlertBoxClosed" set correctly after consent

Cookie: OptanonAlertBoxClosedDomain: .novartis.com
CompliantCookieMarketingX

X cookie "muc_ads" set correctly after consent

Cookie: muc_adsDomain: .t.coRetention: 24 months

Is this your site?

Run a full multi-page scan with monitoring and get detailed remediation steps

Scan novartis.com

This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com