One Medical

onemedical.com

Compare

https://onemedical.com

Scanned Apr 15, 2026 · 23.3s

Your website score is

0/100
Critical

Grade

F0

Banner

No

Regulatory Compliance

Multi-regulation overview — click any regulation for details

Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.

Tag Leak detected 46 user data leaks before consent on onemedical.com, including Mixpanel, Google Ads, Oracle (Advertising Tracker) and 15 more.

Security Headers

5/6 present

Strict-Transport-Security

max-age=31536000

Content-Security-Policy

upgrade-insecure-requests

X-Frame-Options

DENY

X-Content-Type-Options

nosniff

Referrer-Policy

strict-origin-when-cross-origin

Permissions-Policy

Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation

Google Consent Mode

Not Detected

Google Consent Mode v2 was not found on this page. GCM v2 allows Google's tags to adjust their behavior based on user consent, and is required for compliant advertising measurement in the EU. Without it, your Google Ads and GA4 conversions may be impacted after consent is declined.

GTM container detected (GTM-5PQD, GTM-TTMCK6T) but no consent mode initialisation found. Add gtag('consent', 'default', ...) before your GTM snippet.

Post-Rejection Audit

Reject Button

Missing

Post-Rejection Fires

0 vendors

Consent Mode

Not Detected

GTM Load

515ms pre-consent

Google Tag Manager(GTM-5PQD)

Loaded 515ms after page load — before the consent banner was detected. Per a 2022 German court ruling, GTM itself transmits the user's IP to Google pre-consent.

Consent Mode V2: Not Detected

Google Consent Mode was not detected on this site.

Consent Record Audit

Issues detected

Consent record stored after interaction

GDPR Art. 7(1)

No consent record written — cannot prove consent was given

No CMP consent cookie or localStorage entry was found after the consent interaction. GDPR requires controllers to demonstrate consent was given.

Consent withdrawal mechanism accessible

GDPR Art. 7(3)

No way for users to withdraw consent found on page

No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.

Why this matters

Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.

Tracker categories detected

Advertising7 vendors
Analytics8 vendors
Marketing4 vendors
Security1
Functional1
Tag Management1 vendor
Critical35
Google Analytics
Google Analytics3 findingsID tracked

region1.analytics.google.com, _ga_Y7SVGHS5RW, _ga

GA4
criticalNetworkAnalyticsGA4

GA4 (Google) loaded before consent: Sends pageview and event data to Google Analytics

ID: G-Y7SVGHS5RWHost: region1.analytics.google.comFired: 1791ms after load
Google Analytics
criticalCookieAnalyticsGoogle Analytics

Google Analytics cookie "_ga_Y7SVGHS5RW" set before consent

Cookie: _ga_Y7SVGHS5RWDomain: .onemedical.com
Google Analytics
criticalCookieAnalyticsGoogle Analytics

Google Analytics cookie "_ga" set before consent

Cookie: _gaDomain: .onemedical.com
Google (Tracker Tracker)
criticalNetworkGoogle (Tracker Tracker)

Google (tracker) loaded before consent

ID: G-Y7SVGHS5RWHost: stats.g.doubleclick.netFired: 1791ms after load
Mixpanel
Mixpanel5 findings

cdn.mxpnl.com, api-js.mixpanel.com, mp_10bbe22fd98e982099a9467e581473a5_mixpanel, mp_tab_id_mixpanel_10bbe22fd98e982099a9467e581473a5, mp_gen_new_tab_id_mixpanel_10bbe22fd98e982099a9467e581473a5

Mixpanel
criticalNetworkAnalyticsMixpanel

Mixpanel (Mixpanel) loaded before consent: Mixpanel product analytics library

Host: cdn.mxpnl.comFired: 721ms after load
Mixpanel
criticalNetworkAnalyticsMixpanel

Mixpanel (Mixpanel) loaded before consent: Mixpanel analytics data collection endpoint

Host: api-js.mixpanel.comFired: 6596ms after load
Mixpanel
criticalCookieAnalyticsMixpanel

Mixpanel cookie "mp_10bbe22fd98e982099a9467e581473a5_mixpanel" set before consent

Cookie: mp_10bbe22fd98e982099a9467e581473a5_mixpanelDomain: .onemedical.com
Mixpanel
criticalStorageAnalyticsMixpanel

Mixpanel (Mixpanel) wrote "mp_tab_id_mixpanel_10bbe22fd98e982099a9467e581473a5" to sessionStorage before consent

Key: mp_tab_id_mixpanel_10bbe22fd98e982099a9467e581473a5Type: sessionStorageFired: 1573ms after load
Mixpanel
criticalStorageAnalyticsMixpanel

Mixpanel (Mixpanel) wrote "mp_gen_new_tab_id_mixpanel_10bbe22fd98e982099a9467e581473a5" to sessionStorage before consent

Key: mp_gen_new_tab_id_mixpanel_10bbe22fd98e982099a9467e581473a5Type: sessionStorageFired: 1573ms after load
Google Ads
Google Ads3 findings

www.google.com, _gcl_au, _gcl_ls

Google Ads
criticalNetworkAdvertisingGoogle Ads

Google Ads (Google) loaded before consent: Google Consent Mode data collection for ad measurement

Host: www.google.comFired: 721ms after load
Google Ads
criticalCookieAdvertisingGoogle Ads

Google Ads cookie "_gcl_au" set before consent

Cookie: _gcl_auDomain: .onemedical.com
Google Ads
criticalStorageAdvertisingGoogle Ads

Google Ads (Google) wrote "_gcl_ls" to localStorage before consent

Key: _gcl_lsType: localStorageFired: 682ms after load
Oracle (Advertising Tracker)
criticalNetworkAdvertisingOracle (Advertising Tracker)

Oracle (advertising) loaded before consent

Host: img04.en25.comFired: 1203ms after load
Demandbase (Analytics Tracker)
Demandbase (Analytics Tracker)3 findings

tag.demandbase.com, s.company-target.com, api.company-target.com

Demandbase (Analytics Tracker)
criticalNetworkAnalyticsDemandbase (Analytics Tracker)

Demandbase (analytics) loaded before consent

Host: tag.demandbase.comFired: 1251ms after load
Demandbase (Analytics Tracker)
criticalNetworkAnalyticsDemandbase (Analytics Tracker)

Demandbase (analytics) loaded before consent

Host: s.company-target.comFired: 1914ms after load
Demandbase (Analytics Tracker)
criticalNetworkAnalyticsDemandbase (Analytics Tracker)

Demandbase (analytics) loaded before consent

Host: api.company-target.comFired: 1923ms after load
Oracle (Analytics Tracker)
criticalNetworkAnalyticsOracle (Analytics Tracker)

Oracle (analytics) loaded before consent

Host: s1492372420.t.eloqua.comFired: 1886ms after load
LiveRamp (Advertising Tracker)
criticalNetworkAdvertisingLiveRamp (Advertising Tracker)

LiveRamp (advertising) loaded before consent

Host: id.rlcdn.comFired: 1921ms after load
IndexExchange (Advertising Tracker)
criticalNetworkAdvertisingIndexExchange (Advertising Tracker)

IndexExchange (advertising) loaded before consent

Host: dsum-sec.casalemedia.comFired: 2120ms after load
Nexxen (Advertising Tracker)
criticalNetworkAdvertisingNexxen (Advertising Tracker)

Nexxen (advertising) loaded before consent

Host: partners.tremorhub.comFired: 2123ms after load
Magnite (Advertising Tracker)
criticalNetworkAdvertisingMagnite (Advertising Tracker)

Magnite (advertising) loaded before consent

Host: pixel.rubiconproject.comFired: 2123ms after load
Advertising Tracker
criticalNetworkAdvertisingAdvertising Tracker

advertising tracker at distillery.wistia.com loaded before consent

Host: distillery.wistia.comFired: 3154ms after load
criticalCookieMarketingPlatform161

Platform161 cookie "tuuid" set before consent — Unique value to identify individual users.

Cookie: tuuidDomain: .company-target.comRetention: 13 months
criticalCookieMarketingbidswitch.net

bidswitch.net cookie "tuuid_lu" set before consent — Contains a unique visitor ID, which allows Bidswitch.com to track the visitor across multiple websites. This allows Bidswitch to optimize advertisement relevance and ensure that the visitor does not see the same ads multiple times.

Cookie: tuuid_luDomain: .company-target.comRetention: 3 months
Casale Media3 findings

CMID, CMPS, CMPRO

criticalCookieMarketingCasale Media

Casale Media cookie "CMID" set before consent — Collects visitor data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.

Cookie: CMIDDomain: .casalemedia.comRetention: 1 day
criticalCookieMarketingCasale Media

Casale Media cookie "CMPS" set before consent — Collects visitor data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads

Cookie: CMPSDomain: .casalemedia.comRetention: 1 day
criticalCookieMarketingCasale Media

Casale Media cookie "CMPRO" set before consent — Collects data on visitor behaviour from multiple websites, in order to present more relevant advertisement - This also allows the website to limit the number of times that the visitor is shown the same advertisement.

Cookie: CMPRODomain: .casalemedia.comRetention: 1 day
Magnite
Magnite2 findings

tvid, tv_UIDM

Magnite
criticalCookieMarketingMagnite

Magnite cookie "tvid" set before consent — Presents the user with relevant content and advertisement. The service is provided by third-party advertisement hubs, which facilitate real-time bidding for advertisers.

Cookie: tvidDomain: .tremorhub.comRetention: 1 year
Magnite
criticalCookieMarketingMagnite

Magnite cookie "tv_UIDM" set before consent — Collects information on user behaviour on multiple websites. This information is used in order to optimize the relevance of advertisement on the website.

Cookie: tv_UIDMDomain: .tremorhub.comRetention: 30 days
Oracle2 findings

ELOQUA, ELQSTATUS

criticalCookieAnalyticsOracle

Oracle cookie "ELOQUA" set before consent — This cookies allow better understand how visitors use the website. This cookie data may be used to personalise the content or design of the website

Cookie: ELOQUADomain: .eloqua.comRetention: 13 months
criticalCookieAnalyticsOracle

Oracle cookie "ELQSTATUS" set before consent — This cookie is used to track individual visitors and their use of the site. It is set when you first visit the site and updated on subsequent visits.

Cookie: ELQSTATUSDomain: .eloqua.comRetention: 13 months
criticalNetwork

No consent banner detected — all cookies and tags fire without user consent

criticalConsent

No "reject all" option found — users cannot refuse non-essential cookies (ICO guidance requires this)

criticalConsent Record

No recognizable consent cookie or storage entry detected after interaction — GDPR Article 7(1) requires controllers to demonstrate consent was given (server-side storage cannot be verified)

criticalConsent Record

No recognizable consent withdrawal mechanism detected — GDPR Article 7(3) requires users can withdraw consent as easily as giving it (cookie settings link or floating button expected)

Warnings14
Google Tag Manager
Google Tag Manager2 findingsID tracked

www.googletagmanager.com

Google Tag Manager
warningNetworkTag ManagementGoogle Tag Manager

Google Tag Manager (Google) loaded before consent: Loads the GTM container which may trigger other tags

ID: GTM-5PQDHost: www.googletagmanager.comFired: 375ms after load
Google Tag Manager
warningGTMTag ManagementGoogle Tag Manager

GTM loaded before consent banner — IP address transmitted to Google pre-consent (container: GTM-5PQD)

LaunchDarkly
LaunchDarkly2 findings

app.launchdarkly.com, events.launchdarkly.com

LaunchDarkly
warningNetworkAnalyticsLaunchDarkly

LaunchDarkly (LaunchDarkly) loaded before consent: LaunchDarkly feature flag management

Host: app.launchdarkly.comFired: 1202ms after load
LaunchDarkly
warningNetworkAnalyticsLaunchDarkly

LaunchDarkly (LaunchDarkly) loaded before consent: LaunchDarkly event tracking endpoint

Host: events.launchdarkly.comFired: 2726ms after load
vendor logo
warningNetwork

Unknown third-party request to home-c67.nice-incontact.com before consent

Host: home-c67.nice-incontact.comFired: 345ms after load
warningStorage

localStorage key "__mplss_8usms50z" written before consent

Key: __mplss_8usms50zType: localStorageFired: 1553ms after load
warningStorage

sessionStorage key "__mplss_4ixlr279" written before consent

Key: __mplss_4ixlr279Type: sessionStorageFired: 1572ms after load
warningStorage

localStorage key "__mplss_e1aroqcx" written before consent

Key: __mplss_e1aroqcxType: localStorageFired: 1585ms after load
warningStorage

localStorage key "__mpq_10bbe22fd98e982099a9467e581473a5_ev:X" written before consent

Key: __mpq_10bbe22fd98e982099a9467e581473a5_ev:XType: localStorageFired: 1585ms after load
warningStorage

localStorage key "__mpq_10bbe22fd98e982099a9467e581473a5_ev:Y" written before consent

Key: __mpq_10bbe22fd98e982099a9467e581473a5_ev:YType: localStorageFired: 1586ms after load
warningStorage

localStorage key "__mpq_10bbe22fd98e982099a9467e581473a5_ev:Z" written before consent

Key: __mpq_10bbe22fd98e982099a9467e581473a5_ev:ZType: localStorageFired: 1586ms after load
warningStorage

localStorage key "__mpq_10bbe22fd98e982099a9467e581473a5_ev" written before consent

Key: __mpq_10bbe22fd98e982099a9467e581473a5_evType: localStorageFired: 1591ms after load
warningStorage

localStorage key "ld:62d07583ea13fb110f4c8f3d:$diagnostics" written before consent

Key: ld:62d07583ea13fb110f4c8f3d:$diagnosticsType: localStorageFired: 2715ms after load
warningStorage

localStorage key "__mplss_knq4ea6c" written before consent

Key: __mplss_knq4ea6cType: localStorageFired: 6649ms after load
Info5
Google (Cdn)
infoNetworkGoogle (Cdn)

Google (cdn) loaded before consent

ID: G-Y7SVGHS5RWHost: www.google.nlFired: 1791ms after load
Wistia (Cdn)
Wistia (Cdn)2 findings

fast.wistia.com, embed-ssl.wistia.com

Wistia (Cdn)
infoNetworkWistia (Cdn)

Wistia (cdn) loaded before consent

Host: fast.wistia.comFired: 345ms after load
Wistia (Cdn)
infoNetworkWistia (Cdn)

Wistia (cdn) loaded before consent

Host: embed-ssl.wistia.comFired: 2097ms after load
Sentry
infoNetworkAnalyticsSentry

Sentry (Sentry) loaded before consent: Sentry error monitoring and performance tracking

Host: browser.sentry-cdn.comFired: 1458ms after load
infoCookieFunctional

AWS Application Load Balancer — necessary for infrastructure

Cookie: AWSALBCORSDomain: home-c67.nice-incontact.com

Is this your site?

Run a full multi-page scan with monitoring and get detailed remediation steps

Scan onemedical.com

This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com