Orange

orange.com

Compare

https://orange.com

Scanned Apr 15, 2026 · 34.9s

Your website score is

35/100
Critical

Grade

D35

Banner

Yes

Regulatory Compliance

Multi-regulation overview — click any regulation for details

Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.

Tag Leak detected 7 user data leaks before consent on orange.com, including Didomi (Tracker Tracker).

Security Headers

2/6 present

Strict-Transport-Security

Add HSTS header to enforce HTTPS connections and prevent downgrade attacks

Content-Security-Policy

Add a Content-Security-Policy header to prevent XSS and code injection attacks

X-Frame-Options

SAMEORIGIN

X-Content-Type-Options

nosniff

Referrer-Policy

Set a Referrer-Policy header to control how much referrer information is shared

Permissions-Policy

Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation

Google Consent Mode

Not Detected

Google Consent Mode v2 was not found on this page. GCM v2 allows Google's tags to adjust their behavior based on user consent, and is required for compliant advertising measurement in the EU. Without it, your Google Ads and GA4 conversions may be impacted after consent is declined.

GTM container detected (GTM-PLJZRBV) but no consent mode initialisation found. Add gtag('consent', 'default', ...) before your GTM snippet.

Post-Rejection Audit

Reject Button

Found

Post-Rejection Fires

1 vendor

Consent Mode

Not Detected

GTM Load

Not detected

Consent Mode V2: Not Detected

Google Consent Mode was not detected on this site.

Vendors firing after rejection (1)

VendorCategoryTimingURL
Google — Google Tag Managertag_management15424mswww.googletagmanager.com

Consent Record Audit

Issues detected

Consent record stored after interaction

GDPR Art. 7(1)

Found: euconsent-v2 (IAB TCF v2)

Record contains timestamp

Art. 7(1)

No timestamp found in consent record

Record contains consent state

Art. 7(1)

Consent state (accepted/rejected) not found in record

Record contains consent categories

Art. 7(1)

Consent categories (analytics, marketing, etc.) not found in record

Consent withdrawal mechanism accessible

GDPR Art. 7(3)

No way for users to withdraw consent found on page

No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.

Why this matters

Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.

Tracker categories detected

Analytics1 vendor
Security4
Functional1
Tag Management2 vendors
Critical4
Didomi (Tracker Tracker)
Didomi (Tracker Tracker)2 findings

sdk.privacy-center.org, api.privacy-center.org

Didomi (Tracker Tracker)
criticalNetworkDidomi (Tracker Tracker)

Didomi (tracker) loaded before consent

Host: sdk.privacy-center.orgFired: 1959ms after load
Didomi (Tracker Tracker)
criticalNetworkDidomi (Tracker Tracker)

Didomi (tracker) loaded before consent

Host: api.privacy-center.orgFired: 3287ms after load
Google — Google Tag Manager
criticalPost-RejectionTag ManagementGoogle — Google Tag Manager

Google — Google Tag Manager fires after user rejected consent

Fired: 15424ms after load
criticalConsent Record

No recognizable consent withdrawal mechanism detected — GDPR Article 7(3) requires users can withdraw consent as easily as giving it (cookie settings link or floating button expected)

Warnings5
Google Tag Manager
warningNetworkTag ManagementGoogle Tag Manager

Google Tag Manager (Google) loaded before consent: Loads the GTM container which may trigger other tags

ID: GTM-PLJZRBVHost: www.googletagmanager.comFired: 805ms after load
vendor logo
warningNetwork

Unknown third-party request to cdn-eu.readspeaker.com before consent

Host: cdn-eu.readspeaker.comFired: 538ms after load
vendor logo
warningNetwork

Unknown third-party request to asset.epresspack.eu before consent

Host: asset.epresspack.euFired: 538ms after load
vendor logo
warningNetwork

Unknown third-party request to mastermedia.dam-broadcast.com before consent

Host: mastermedia.dam-broadcast.comFired: 543ms after load
warningStorage

localStorage key "altutgv2" written before consent

Key: altutgv2Type: localStorageFired: 834ms after load
Info1
infoCookieFunctional

Cross-site request forgery token — security mechanism

Cookie: spcsrfDomain: www.orange.com
Compliant3
CompliantCookieConsent MgmtIAB TCF

IAB TCF cookie "euconsent-v2" set correctly after consent

Cookie: euconsent-v2Domain: .www.orange.com
Google Analytics
Google Analytics2 findings

_ga, _ga_MH5TFQ325V

Google Analytics
CompliantCookieAnalyticsGoogle Analytics

Google Analytics cookie "_ga" set correctly after consent

Cookie: _gaDomain: .www.orange.com
Google Analytics
CompliantCookieAnalyticsGoogle Analytics

Google Analytics cookie "_ga_MH5TFQ325V" set correctly after consent

Cookie: _ga_MH5TFQ325VDomain: .www.orange.com

Is this your site?

Run a full multi-page scan with monitoring and get detailed remediation steps

Scan orange.com

This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com