Ulta Beauty

ulta.com

Compare

https://ulta.com

Scanned Apr 15, 2026 · 41.7s

Your website score is

0/100
Critical

Grade

F0

Banner

Yes

Regulatory Compliance

Multi-regulation overview — click any regulation for details

Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.

Tag Leak detected 40 user data leaks before consent on ulta.com, including Akamai (Analytics Tracker), Tealium (Tracker Tracker), Medallia (Analytics Tracker) and 6 more.

Security Headers

2/6 present

Strict-Transport-Security

Add HSTS header to enforce HTTPS connections and prevent downgrade attacks

Content-Security-Policy

Add a Content-Security-Policy header to prevent XSS and code injection attacks

X-Frame-Options

DENY

X-Content-Type-Options

nosniff

Referrer-Policy

Set a Referrer-Policy header to control how much referrer information is shared

Permissions-Policy

Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation

Google Consent Mode

Not Detected

Google Consent Mode v2 was not found on this page. GCM v2 allows Google's tags to adjust their behavior based on user consent, and is required for compliant advertising measurement in the EU. Without it, your Google Ads and GA4 conversions may be impacted after consent is declined.

Post-Rejection Audit

Reject Button

Found

Post-Rejection Fires

0 vendors

Consent Mode

Not Detected

GTM Load

Not detected

Consent Mode V2: Not Detected

Google Consent Mode was not detected on this site.

No tracking vendors detected firing after rejection

Consent Record Audit

Issues detected

Consent record stored after interaction

GDPR Art. 7(1)

Found: OptanonConsent (OneTrust)

Record contains timestamp

Art. 7(1)

Timestamp field detected

Record contains consent state

Art. 7(1)

Accept/reject state detected

Record contains consent categories

Art. 7(1)

Consent categories (analytics, marketing, etc.) not found in record

Consent withdrawal mechanism accessible

GDPR Art. 7(3)

No way for users to withdraw consent found on page

No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.

Why this matters

Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.

Tracker categories detected

Advertising2 vendors
Analytics4 vendors
Marketing1 vendor
Security4
Functional2 vendors
Critical18
Akamai (Analytics Tracker)
Akamai (Analytics Tracker)2 findings

s.go-mpulse.net, c.go-mpulse.net

Akamai (Analytics Tracker)
criticalNetworkAnalyticsAkamai (Analytics Tracker)

Akamai (analytics) loaded before consent

Host: s.go-mpulse.netFired: 1156ms after load
Akamai (Analytics Tracker)
criticalNetworkAnalyticsAkamai (Analytics Tracker)

Akamai (analytics) loaded before consent

Host: c.go-mpulse.netFired: 4172ms after load
Tealium (Tracker Tracker)
criticalNetworkTealium (Tracker Tracker)

Tealium (tracker) loaded before consent

Host: tags.tiqcdn.comFired: 4510ms after load
Medallia (Analytics Tracker)
criticalNetworkAnalyticsMedallia (Analytics Tracker)

Medallia (analytics) loaded before consent

Host: nebula-cdn.kampyle.comFired: 4510ms after load
Impact
criticalNetworkAdvertisingImpact

Impact (Impact) loaded before consent: Impact affiliate and partnership tracking

Host: d.impactradius-event.comFired: 5435ms after load
Impact (Advertising Tracker)
criticalNetworkAdvertisingImpact (Advertising Tracker)

Impact (advertising) loaded before consent

Host: www.ojrq.netFired: 6175ms after load
The Trade Desk (Tracker Tracker)
The Trade Desk (Tracker Tracker)3 findings

js.adsrvr.org, insight.adsrvr.org, match.adsrvr.org

The Trade Desk (Tracker Tracker)
criticalNetworkThe Trade Desk (Tracker Tracker)

The Trade Desk (tracker) loaded before consent

Host: js.adsrvr.orgFired: 6267ms after load
The Trade Desk (Tracker Tracker)
criticalNetworkThe Trade Desk (Tracker Tracker)

The Trade Desk (tracker) loaded before consent

Host: insight.adsrvr.orgFired: 7711ms after load
The Trade Desk (Tracker Tracker)
criticalNetworkThe Trade Desk (Tracker Tracker)

The Trade Desk (tracker) loaded before consent

Host: match.adsrvr.orgFired: 7783ms after load
Dynatrace (Analytics Tracker)
criticalNetworkAnalyticsDynatrace (Analytics Tracker)

Dynatrace (analytics) loaded before consent

Host: bf78180lnp.bf.dynatrace.comFired: 7711ms after load
Dynatrace
Dynatrace5 findings

rxVisitor, dtSa, dtPC, dtCookie, rxvt

Dynatrace
criticalCookieAnalyticsDynatrace

Dynatrace cookie "rxVisitor" set before consent — This cookie is used by RUM API, Dynatrace Real User Monitoring (RUM) gives you the power to know your customers by providing performance analysis in real time.

Cookie: rxVisitorDomain: .ulta.comRetention: Session
Dynatrace
criticalCookieAnalyticsDynatrace

Dynatrace cookie "dtSa" set before consent — This cookie is used by RUM API, Dynatrace Real User Monitoring (RUM) gives you the power to know your customers by providing performance analysis in real time.

Cookie: dtSaDomain: .ulta.comRetention: Session
Dynatrace
criticalCookieAnalyticsDynatrace

Dynatrace cookie "dtPC" set before consent — This cookie is used by RUM API, Dynatrace Real User Monitoring (RUM) gives you the power to know your customers by providing performance analysis in real time.

Cookie: dtPCDomain: .ulta.comRetention: Session
Dynatrace
criticalCookieAnalyticsDynatrace

Dynatrace cookie "dtCookie" set before consent — This cookie is used by RUM API, Dynatrace Real User Monitoring (RUM) gives you the power to know your customers by providing performance analysis in real time.

Cookie: dtCookieDomain: .ulta.comRetention: Session
Dynatrace
criticalCookieAnalyticsDynatrace

Dynatrace cookie "rxvt" set before consent — This cookie is used by RUM API, Dynatrace Real User Monitoring (RUM) gives you the power to know your customers by providing performance analysis in real time.

Cookie: rxvtDomain: .ulta.comRetention: Session
LinkedIn
LinkedIn2 findings

brwsr, irld

LinkedIn
criticalCookieMarketingLinkedIn

LinkedIn cookie "brwsr" set before consent — This cookie is used to Affiliate Marketing Cookie for LinkedIn

Cookie: brwsrDomain: .ztk5.netRetention: 2 years
LinkedIn
criticalCookieMarketingLinkedIn

LinkedIn cookie "irld" set before consent — This cookie is used for Affiliate Marketing Cookie for LinkedIn

Cookie: irldDomain: ulta.ztk5.netRetention: 2 years
criticalConsent Record

No recognizable consent withdrawal mechanism detected — GDPR Article 7(3) requires users can withdraw consent as easily as giving it (cookie settings link or floating button expected)

Warnings23
vendor logo
warningNetwork

Unknown third-party request to media.ultainc.com before consent

Host: media.ultainc.comFired: 3622ms after load
vendor logo
warningNetwork

Unknown third-party request to cdn.gladly.com before consent

Host: cdn.gladly.comFired: 4510ms after load
vendor logo
warningNetwork

Unknown third-party request to conversation.ultainc.com before consent

Host: conversation.ultainc.comFired: 4510ms after load
vendor logo
warningNetwork

Unknown third-party request to sierra.chat before consent

Host: sierra.chatFired: 4510ms after load
vendor logo
warningNetwork

Unknown third-party request to static.narrativ.com before consent

Host: static.narrativ.comFired: 5435ms after load
vendor logo
warningNetwork

Unknown third-party request to ulta.ztk5.net before consent

Host: ulta.ztk5.netFired: 5749ms after load
warningStorage

localStorage key "rxVisitor" written before consent

Key: rxVisitorType: localStorageFired: 622ms after load
warningStorage

sessionStorage key "rxvisitid" written before consent

Key: rxvisitidType: sessionStorageFired: 623ms after load
warningStorage

sessionStorage key "rxvt" written before consent

Key: rxvtType: sessionStorageFired: 625ms after load
warningStorage

sessionStorage key "dtSa" written before consent

Key: dtSaType: sessionStorageFired: 671ms after load
warningStorage

localStorage key "dtCFG_11qvxopq_6fe4664190660d01" written before consent

Key: dtCFG_11qvxopq_6fe4664190660d01Type: localStorageFired: 738ms after load
warningStorage

sessionStorage key "dtTAB_11qvxopq" written before consent

Key: dtTAB_11qvxopqType: sessionStorageFired: 739ms after load
warningStorage

localStorage key "_boomr_clss" written before consent

Key: _boomr_clssType: localStorageFired: 1812ms after load
warningStorage

sessionStorage key "Nudge" written before consent

Key: NudgeType: sessionStorageFired: 3085ms after load
warningStorage

sessionStorage key "RailSwiperFallbackId-12LlJLuB9vto8WRL_qSBp" written before consent

Key: RailSwiperFallbackId-12LlJLuB9vto8WRL_qSBpType: sessionStorageFired: 3089ms after load
warningStorage

sessionStorage key "RailSwiperFallbackId-Flu3BBj98NqomBBcFz01V" written before consent

Key: RailSwiperFallbackId-Flu3BBj98NqomBBcFz01VType: sessionStorageFired: 3090ms after load
warningStorage

sessionStorage key "RailSwiperFallbackId-RnI-dbSzTfzJ0az9JC_Xx" written before consent

Key: RailSwiperFallbackId-RnI-dbSzTfzJ0az9JC_XxType: sessionStorageFired: 3097ms after load
warningStorage

localStorage key "DSOTF_LOGIN_HINT_KEY" written before consent

Key: DSOTF_LOGIN_HINT_KEYType: localStorageFired: 3106ms after load
warningStorage

localStorage key "storage_test" written before consent

Key: storage_testType: localStorageFired: 6304ms after load
warningStorage

localStorage key "_mibhv" written before consent

Key: _mibhvType: localStorageFired: 6320ms after load
warningStorage

sessionStorage key "window-id" written before consent

Key: window-idType: sessionStorageFired: 7026ms after load
warningStorage

localStorage key "ulta.com" written before consent

Key: ulta.comType: localStorageFired: 7067ms after load
warningStorage

localStorage key "__lh_test__" written before consent

Key: __lh_test__Type: localStorageFired: 7580ms after load
Info9
OneTrust
OneTrust2 findings

cdn.cookielaw.org, OptanonConsent

OneTrust
infoNetworkConsent MgmtOneTrust

OneTrust (OneTrust) loaded before consent: OneTrust cookie consent management

Host: cdn.cookielaw.orgFired: 457ms after load
OneTrust
infoCookieConsent MgmtOneTrust

OneTrust cookie "OptanonConsent" set before consent

Cookie: OptanonConsentDomain: .www.ulta.com
OneTrust CMP
infoNetworkConsent MgmtOneTrust CMP

OneTrust CMP (OneTrust) loaded before consent: OneTrust geo-lookup — determines which consent banner to show based on user location

Host: geolocation.onetrust.comFired: 3973ms after load
Google (Cdn)
Google (Cdn)2 findings

www.gstatic.com, agenticapplications.googleapis.com

Google (Cdn)
infoNetworkGoogle (Cdn)

Google (cdn) loaded before consent

Host: www.gstatic.comFired: 6190ms after load
Google (Cdn)
infoNetworkGoogle (Cdn)

Google (cdn) loaded before consent

Host: agenticapplications.googleapis.comFired: 7907ms after load
Cloudflare (Cdn)
infoNetworkCloudflare (Cdn)

Cloudflare (cdn) loaded before consent

Host: cdnjs.cloudflare.comFired: 7088ms after load
Akamai
infoCookieFunctionalAkamai

Akamai cookie "AKA_A2" set before consent — Used for Akamai's Advanced Acceleration feature, intended to improve web performance

Cookie: AKA_A2Domain: .ulta.comRetention: 1 hour or longer
infoCookieFunctionalTripadvisor

Tripadvisor cookie "RT" set before consent — This cookie is used to identify the visitor through an application. This allows the visitor to login to a website through their LinkedIn application for example.

Cookie: RTDomain: .ulta.comRetention: 399 days
infoCookieFunctional

AWS Application Load Balancer — necessary for infrastructure

Cookie: AWSALBCORSDomain: ulta.ztk5.net
Compliant1
OneTrust
CompliantCookieConsent MgmtOneTrust

OneTrust cookie "OptanonAlertBoxClosed" set correctly after consent

Cookie: OptanonAlertBoxClosedDomain: .www.ulta.com

Is this your site?

Run a full multi-page scan with monitoring and get detailed remediation steps

Scan ulta.com

This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com