https://udemy.com
Scanned Apr 15, 2026 · 35.2s
Your website score is
Grade
BannerConsent Banner
Yes
Regulatory Compliance
Multi-regulation overview — click any regulation for details
Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.
Tag Leak detected 74 user data leaks before consent on udemy.com, including Braze, Amplitude (Analytics Tracker), Meta Pixel and 13 more.
Security Headers
1/6 presentStrict-Transport-Security
Add HSTS header to enforce HTTPS connections and prevent downgrade attacks
Content-Security-Policy
Add a Content-Security-Policy header to prevent XSS and code injection attacks
X-Frame-Options
Add X-Frame-Options header to prevent clickjacking attacks
X-Content-Type-Options
nosniff
Referrer-Policy
Set a Referrer-Policy header to control how much referrer information is shared
Permissions-Policy
Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation
Google Consent Mode
V2Consent Parameters
Issues (6)
ad_storage defaults to "granted" — should default to "denied" for GDPR compliance
ad_user_data defaults to "granted" — should default to "denied" for GDPR compliance
ad_personalization defaults to "granted" — should default to "denied" for GDPR compliance
analytics_storage defaults to "granted" — should default to "denied" for GDPR compliance
functionality_storage defaults to "granted" — consider defaulting to "denied"
personalization_storage defaults to "granted" — consider defaulting to "denied"
Post-Rejection Audit
Reject Button
Found
Post-Rejection Fires
1 vendor
Consent Mode
Not Detected
GTM Load
3566ms pre-consent
Google Tag Manager(GTM-7BF3X)
Loaded 3566ms after page load — before the consent banner was detected (banner appeared at 7654ms). Per a 2022 German court ruling, GTM itself transmits the user's IP to Google pre-consent.
Consent Mode V2: Not Detected
Google Consent Mode was not detected on this site.
✓ gtag('consent', 'update') call detected on rejection
Vendors firing after rejection (1)
| Vendor | Category | Timing | URL |
|---|---|---|---|
| Braze — Braze | marketing | 21584ms | sdk.iad-03.braze.com |
Consent Record Audit
Issues detectedConsent record stored after interaction
GDPR Art. 7(1)Found: OptanonConsent (OneTrust)
Record contains timestamp
Art. 7(1)Timestamp field detected
Record contains consent state
Art. 7(1)Accept/reject state detected
Record contains consent categories
Art. 7(1)Consent categories (analytics, marketing, etc.) not found in record
Consent withdrawal mechanism accessible
GDPR Art. 7(3)No way for users to withdraw consent found on page
No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.
Why this matters
Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.
Tracker categories detected
Critical40
Twitter/X Pixel2 findingsID trackedt.co, static.ads-twitter.com
t.co, static.ads-twitter.com
Twitter/X Pixel (X (Twitter)) loaded before consent: Twitter/X ad conversion tracking endpoint
Twitter/X Pixel (X (Twitter)) loaded before consent: Loads Twitter/X conversion tracking script
Meta Pixel3 findingsID trackedwww.facebook.com, connect.facebook.net, _fbp
www.facebook.com, connect.facebook.net, _fbp
Meta Pixel (Meta) loaded before consent: Meta Pixel tracking endpoint
Meta Pixel (Meta) loaded before consent: Sends user data to Meta for ad targeting and conversion tracking
Meta Pixel cookie "_fbp" set before consent
Braze3 findingssdk.iad-03.braze.com, ab.storage.sessionId.5cefca91-d218-4b04-8bdd-c8876ec1908d, ab.storage.deviceId.5cefca91-d218-4b04-8bdd-c8876ec1908d
sdk.iad-03.braze.com, ab.storage.sessionId.5cefca91-d218-4b04-8bdd-c8876ec1908d, ab.storage.deviceId.5cefca91-d218-4b04-8bdd-c8876ec1908d
Braze (Braze) loaded before consent: Braze customer engagement and marketing automation
Braze cookie "ab.storage.sessionId.5cefca91-d218-4b04-8bdd-c8876ec1908d" set before consent — Randomly-generated string used to determine whether the user is starting a new or existing session to sync messages and calculate session analytics.
Braze cookie "ab.storage.deviceId.5cefca91-d218-4b04-8bdd-c8876ec1908d" set before consent — Randomly-generated string used to identify anonymous users, and to differentiate users’ devices and enables device-based messaging.
Amplitude (Analytics Tracker)3 findingssr-client-cfg.amplitude.com, api2.amplitude.com, gs.amplitude.com
sr-client-cfg.amplitude.com, api2.amplitude.com, gs.amplitude.com
Amplitude (analytics) loaded before consent
Amplitude (analytics) loaded before consent
Amplitude (analytics) loaded before consent
Microsoft Ads3 findingsbat.bing.com, _uetsid, _uetvid
bat.bing.com, _uetsid, _uetvid
Microsoft Ads (Microsoft) loaded before consent: Microsoft Ads (Bing) UET conversion tracking
Microsoft Ads cookie "_uetsid" set before consent
Microsoft Ads cookie "_uetvid" set before consent
Google Ads5 findingswww.google.com, googleads.g.doubleclick.net, www.googleadservices.com, _gcl_au, _gcl_ls
www.google.com, googleads.g.doubleclick.net, www.googleadservices.com, _gcl_au, _gcl_ls
Google Ads (Google) loaded before consent: Google Consent Mode data collection for ad measurement
Google Ads (Google) loaded before consent: Sends conversion data to Google Ads
Google Ads (Google) loaded before consent: Google Ads conversion tracking
Google Ads cookie "_gcl_au" set before consent
Google Ads (Google) wrote "_gcl_ls" to localStorage before consent
Bliss Point (advertising) loaded before consent
ProProfs (Analytics Tracker)2 findingscl.qualaroo.com, dntcl.qualaroo.com
cl.qualaroo.com, dntcl.qualaroo.com
ProProfs (analytics) loaded before consent
ProProfs (analytics) loaded before consent
UpsellIt (advertising) loaded before consent
Impact (advertising) loaded before consent
Amplitude4 findingscdn.amplitude.com, AMP_7269f546a4, AMP_MKTG_5a3d2e29ec, AMP_5a3d2e29ec
cdn.amplitude.com, AMP_7269f546a4, AMP_MKTG_5a3d2e29ec, AMP_5a3d2e29ec
Amplitude (Amplitude) loaded before consent: Amplitude product analytics
Amplitude cookie "AMP_7269f546a4" set before consent
Amplitude cookie "AMP_MKTG_5a3d2e29ec" set before consent
Amplitude cookie "AMP_5a3d2e29ec" set before consent
Shopify2 findingski_t, ki_r
ki_t, ki_r
Shopify cookie "ki_t" set before consent — Shopify analytics.
Shopify cookie "ki_r" set before consent — Shopify analytics.
X2 findingsmuc_ads, personalization_id
muc_ads, personalization_id
X cookie "muc_ads" set before consent — These cookies are placed when you come to our website via X. A cookie from X is also placed on our website, with which we can later show a relevant offer on X
X cookie "personalization_id" set before consent — Unique value with which users can be identified by X. Collected information is used to be personalize X services, including X trends, stories, ads and suggestions.
LinkedIn2 findingsbrwsr, irld
brwsr, irld
LinkedIn cookie "brwsr" set before consent — This cookie is used to Affiliate Marketing Cookie for LinkedIn
LinkedIn cookie "irld" set before consent — This cookie is used for Affiliate Marketing Cookie for LinkedIn
Bing / Microsoft cookie "MUID" set before consent — Identifies unique web browsers visiting Microsoft sites. These cookies are used for advertising, site analytics, and other operational purposes.
Google Analytics3 findings_ga_7YMFEFLR6Q, _ga, FPAU
_ga_7YMFEFLR6Q, _ga, FPAU
Google Analytics cookie "_ga_7YMFEFLR6Q" set before consent
Google Analytics cookie "_ga" set before consent
Google Analytics cookie "FPAU" set before consent — Assigns a specific ID to the visitor. This allows the website to determine the number of specific user-visits for analysis and statistics.
Braze — Braze fires after user rejected consent
No recognizable consent withdrawal mechanism detected — GDPR Article 7(3) requires users can withdraw consent as easily as giving it (cookie settings link or floating button expected)
Warnings36
Google Tag Manager2 findingsID trackedwww.googletagmanager.com
www.googletagmanager.com
Google Tag Manager (Google) loaded before consent: Loads the GTM container which may trigger other tags
GTM loaded before consent banner — IP address transmitted to Google pre-consent (container: GTM-7BF3X)
Twitter (social) loaded before consent
Possible server-side tag proxy at gtm.udemy.com — analytics data may be forwarded to third parties before consent. Browser scanning cannot verify downstream recipients; audit your GTM Server-side or CNAME configuration.
Unknown third-party request to frontends.udemycdn.com before consent
Unknown third-party request to cms-images.udemycdn.com before consent
Unknown third-party request to s.udemycdn.com before consent
Unknown third-party request to accounts.google.com before consent
Unknown third-party request to img-c.udemycdn.com before consent
Unknown third-party request to use.fontawesome.com before consent
Unknown third-party request to google.com before consent
Unknown third-party request to www.google.com before consent
localStorage key "__storejs__test__" written before consent
localStorage key "header-browse-nav:items" written before consent
localStorage key "expiringLocalStorageFactory.expirations" written before consent
localStorage key "test1776282264856" written before consent
sessionStorage key "__sak" written before consent
localStorage key "notices:api" written before consent
localStorage key "AMP_remote_config_7269f546a4" written before consent
localStorage key "AMP_remote_config_5a3d2e29ec" written before consent
localStorage key "usi_entry_url_1" written before consent
localStorage key "usi_referrer_url" written before consent
localStorage key "usi_pv_count" written before consent
localStorage key "AMP_TEST" written before consent
localStorage key "AMP_unsent_7269f546a4" written before consent
localStorage key "_uetsid" written before consent
localStorage key "_uetsid_exp" written before consent
localStorage key "lastExternalReferrer" written before consent
localStorage key "_uetvid" written before consent
localStorage key "_uetvid_exp" written before consent
sessionStorage key "amplitude.engagement.5a3d2e.sessionStart" written before consent
sessionStorage key "amplitude.engagement.ENGAGEMENT_5a3d2e29ec_DEFAULT_USER_PROVIDER" written before consent
sessionStorage key "usi_app.company_id" written before consent
localStorage key "amplitude.engagement.eus.5a3d2e.user_id:9a6eeda038fc4cafbe683e100c680ea4" written before consent
sessionStorage key "AMP_URL_INFO" written before consent
localStorage key "AMP_unsent_5a3d2e29ec" written before consent
Info8
OneTrust2 findingscdn.cookielaw.org, OptanonConsent
cdn.cookielaw.org, OptanonConsent
OneTrust (OneTrust) loaded before consent: OneTrust cookie consent management
OneTrust cookie "OptanonConsent" set before consent
OneTrust CMP (OneTrust) loaded before consent: OneTrust geo-lookup — determines which consent banner to show based on user location
Naver (cdn) loaded before consent
Google (cdn) loaded before consent
DoubleClick/Google Marketing cookie "test_cookie" set before consent — This cookie is set by DoubleClick (which is owned by Google) to determine if the website visitor's browser supports cookies.
Cloudflare challenge clearance — necessary for site access
Cloudflare bot management — necessary for site operation
Compliant5
Google Analytics2 findings_gid, _dc_gtm_UA-12366301-1
_gid, _dc_gtm_UA-12366301-1
Google Analytics cookie "_gid" set correctly after consent
Google Analytics cookie "_dc_gtm_UA-12366301-1" set correctly after consent
DoubleClick/Google Marketing cookie "IDE" set correctly after consent
Amplitude2 findingsAMP_TLDTEST_5d2713c7, AMP_TLDTEST_ba42347f
AMP_TLDTEST_5d2713c7, AMP_TLDTEST_ba42347f
Amplitude cookie "AMP_TLDTEST_5d2713c7" set correctly after consent
Amplitude cookie "AMP_TLDTEST_ba42347f" set correctly after consent
Is this your site?
Run a full multi-page scan with monitoring and get detailed remediation steps
Scan udemy.com →This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com