Geo-redirect detected
https://vanguard.com redirected to https://investor.vanguard.com/corporate-portal.
https://vanguard.com
Scanned Apr 15, 2026 · 34.7s
Your website score is
Grade
BannerConsent Banner
Yes
Regulatory Compliance
Multi-regulation overview — click any regulation for details
Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.
Tag Leak detected 92 user data leaks before consent on vanguard.com, including Adobe (Tracker Tracker), GA4, Google Ads and 43 more.
Security Headers
1/6 presentStrict-Transport-Security
max-age=15768000 ; includeSubDomains
Content-Security-Policy
Add a Content-Security-Policy header to prevent XSS and code injection attacks
X-Frame-Options
Add X-Frame-Options header to prevent clickjacking attacks
X-Content-Type-Options
Set X-Content-Type-Options to 'nosniff' to prevent MIME type sniffing
Referrer-Policy
Set a Referrer-Policy header to control how much referrer information is shared
Permissions-Policy
Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation
Google Consent Mode
Not DetectedGoogle Consent Mode v2 was not found on this page. GCM v2 allows Google's tags to adjust their behavior based on user consent, and is required for compliant advertising measurement in the EU. Without it, your Google Ads and GA4 conversions may be impacted after consent is declined.
Post-Rejection Audit
Reject Button
Found
Post-Rejection Fires
0 vendors
Consent Mode
Not Detected
GTM Load
Not detected
Consent Mode V2: Not Detected
Google Consent Mode was not detected on this site.
Consent Record Audit
PassConsent record stored after interaction
GDPR Art. 7(1)Found: OptanonConsent (OneTrust)
Record contains timestamp
Art. 7(1)Timestamp field detected
Record contains consent state
Art. 7(1)Accept/reject state detected
Record contains consent categories
Art. 7(1)Consent categories (analytics, marketing, etc.) not found in record
Consent withdrawal mechanism accessible
GDPR Art. 7(3)Cookie settings link / floating button found
Tracker categories detected
Critical76
Data was transmitted to a third-party or storage was written on the user’s device before consent. This is a GDPR/ePrivacy violation, not just a script load.
Pinterest Tag (Pinterest) loaded before consent: Pinterest conversion tracking
Meta Pixel3 findingsID trackedwww.facebook.com, connect.facebook.net, _fbp
www.facebook.com, connect.facebook.net, _fbp
Meta Pixel (Meta) loaded before consent: Meta Pixel tracking endpoint
Meta Pixel (Meta) loaded before consent: Sends user data to Meta for ad targeting and conversion tracking
Meta Pixel cookie "_fbp" set before consent
Adobe (Tracker Tracker)3 findingsadobedc.demdex.net, dpm.demdex.net, sync-tm.everesttech.net
adobedc.demdex.net, dpm.demdex.net, sync-tm.everesttech.net
Adobe (tracker) loaded before consent
Adobe (tracker) loaded before consent
Adobe (tracker) loaded before consent
Google Analytics2 findingswww.googletagmanager.com, FPID
www.googletagmanager.com, FPID
GA4 (Google) loaded before consent: Google Analytics gtag.js library
Google Analytics cookie "FPID" set before consent — Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
Google Ads5 findingswww.google.com, www.googleadservices.com, googleads.g.doubleclick.net, _gcl_au, _gcl_ls
www.google.com, www.googleadservices.com, googleads.g.doubleclick.net, _gcl_au, _gcl_ls
Google Ads (Google) loaded before consent: Google Consent Mode data collection for ad measurement
Google Ads (Google) loaded before consent: Google Ads conversion tracking
Google Ads (Google) loaded before consent: Sends conversion data to Google Ads
Google Ads cookie "_gcl_au" set before consent
Google Ads (Google) wrote "_gcl_ls" to localStorage before consent
Claritas (advertising) loaded before consent
Simpli.fi (advertising) loaded before consent
Google (Tracker Tracker)3 findings12332392.fls.doubleclick.net, 9544918.fls.doubleclick.net, cm.g.doubleclick.net
12332392.fls.doubleclick.net, 9544918.fls.doubleclick.net, cm.g.doubleclick.net
Google (tracker) loaded before consent
Google (tracker) loaded before consent
Google (tracker) loaded before consent
Amazon (advertising) loaded before consent
Samsung (advertising) loaded before consent
The Trade Desk (tracker) loaded before consent
Microsoft Ads (Microsoft) loaded before consent: Microsoft Ads (Bing) UET conversion tracking
Medallia (analytics) loaded before consent
Advertising Tracker2 findingsbat.bing.net, analytics-fe.digital-cloud-prem.medallia.com
bat.bing.net, analytics-fe.digital-cloud-prem.medallia.com
advertising tracker at bat.bing.net loaded before consent
advertising tracker at analytics-fe.digital-cloud-prem.medallia.com loaded before consent
Yahoo! (analytics) loaded before consent
PublicisGroupe (tracker) loaded before consent
Roku (advertising) loaded before consent
Perion (advertising) loaded before consent
Spotify (analytics) loaded before consent
Invoca (advertising) loaded before consent
Decibel Insight (advertising) loaded before consent
ZetaGlobal (Advertising Tracker)10 findingslive.rezync.com, cdn.boomtrain.com, c1.rfihub.net, 20879319p.rfihub.com, 20860028p.rfihub.com, p.rfihub.com, i.liadm.com, a.rfihub.com, people.api.boomtrain.com, events.api.boomtrain.com
live.rezync.com, cdn.boomtrain.com, c1.rfihub.net, 20879319p.rfihub.com, 20860028p.rfihub.com, p.rfihub.com, i.liadm.com, a.rfihub.com, people.api.boomtrain.com, events.api.boomtrain.com
ZetaGlobal (advertising) loaded before consent
ZetaGlobal (advertising) loaded before consent
ZetaGlobal (advertising) loaded before consent
ZetaGlobal (advertising) loaded before consent
ZetaGlobal (advertising) loaded before consent
ZetaGlobal (advertising) loaded before consent
ZetaGlobal (advertising) loaded before consent
ZetaGlobal (advertising) loaded before consent
ZetaGlobal (advertising) loaded before consent
ZetaGlobal (advertising) loaded before consent
Microsoft (advertising) loaded before consent
PubMatic (advertising) loaded before consent
OpenX (tracker) loaded before consent
media.net (advertising) loaded before consent
RoqAd (tracker) loaded before consent
IndexExchange (advertising) loaded before consent
LiveRamp (advertising) loaded before consent
Nexxen (advertising) loaded before consent
TransUnion (advertising) loaded before consent
Criteo (advertising) loaded before consent
Dun & Bradstreet (analytics) loaded before consent
Adobe Audience Manager3 findingsdemdex, mbox, dpm
demdex, mbox, dpm
Adobe Audience Manager cookie "demdex" set before consent — Unique value with which Audience Manager can identify a user. Used, among others, for identification, segmentation, modeling and reporting purposes.
Adobe Audience Manager cookie "mbox" set before consent — Adobe Target uses cookies to give website operators the ability to test which online content and offers are more relevant to visitors.
Adobe Audience Manager cookie "dpm" set before consent — DPM is an abbreviation for Data Provider Match. It tells internal, Adobe systems that a call from Audience Manager or the Adobe Experience Cloud ID Service is passing in customer data for synchronization or requesting an ID.
Adobe Analytics cookie "AMCV_92CA3704532954400A490D44%40AdobeOrg" set before consent
Claritas cookie "barometric[cuid]" set before consent — This cookie is used to identify users for Veritone/Barometric Podcast Conversion.
DoubleClick/Google Marketing2 findingsar_debug, IDE
ar_debug, IDE
DoubleClick/Google Marketing cookie "ar_debug" set before consent — Store and track conversions
DoubleClick/Google Marketing cookie "IDE" set before consent — This cookie is used for targeting, analyzing and optimisation of ad campaigns in DoubleClick/Google Marketing Suite
Amazon2 findingsad-id, ad-privacy
ad-id, ad-privacy
Amazon cookie "ad-id" set before consent — Clickthroughs to Amazon websites: Noting how the user got to Amazon via this website
Amazon cookie "ad-privacy" set before consent — Provided by amazon-adsystem.com for tracking user actions on other websites to provide targeted content to the users.
Undertone2 findingsUTID, UTID_ENC
UTID, UTID_ENC
Undertone cookie "UTID" set before consent — This cookie is used to store the user's unique identifier
Undertone cookie "UTID_ENC" set before consent — This cookie is used to store the user's unique identifier
Rapleaf2 findingsrlas3, pxrc
rlas3, pxrc
Rapleaf cookie "rlas3" set before consent — Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
Rapleaf cookie "pxrc" set before consent — This cookie registers non-personal data on the visitor. The information is used to optimize advertisement relevance.
Casale Media3 findingsCMID, CMPS, CMPRO
CMID, CMPS, CMPRO
Casale Media cookie "CMID" set before consent — Collects visitor data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
Casale Media cookie "CMPS" set before consent — Collects visitor data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads
Casale Media cookie "CMPRO" set before consent — Collects data on visitor behaviour from multiple websites, in order to present more relevant advertisement - This also allows the website to limit the number of times that the visitor is shown the same advertisement.
openx.net cookie "i" set before consent — Registers user data, such as IP address, geographical location, websites visited and on which advertisements the user has clicked, with the aim of optimizing the display of advertisements based on user relocation on websites that use the same advertising network.
Media.net2 findingsvisitor-id, data-rk
visitor-id, data-rk
Media.net cookie "visitor-id" set before consent — This cookie is used to collect information on the visitor, which we then use for analytics purposes.
Media.net cookie "data-rk" set before consent — Cookie used to record your browsing activity, with the purpose of displaying targeted ads.
Adobe Advertising cookie "everest_g_v2" set before consent — This cookie stores the browser and surfer ID.Created after a user initially clicks a client's ad, and used to map the current and subsequent clicks with other events on the client's website
LinkedIn2 findingsbcookie, lidc
bcookie, lidc
LinkedIn cookie "bcookie" set before consent — Used by LinkedIn to track the use of embedded services.
LinkedIn cookie "lidc" set before consent — Used by the social networking service, LinkedIn, for tracking the use of embedded services.
Warnings16
A tag container or script loaded before consent but tags appear correctly gated (e.g. GTM with Consent Mode v2). Not a violation on its own — review to confirm downstream tags stay blocked.
Unknown third-party request to px.ads.linkedin.com before consent
Possible server-side tag proxy at smetrics.vanguard.com — analytics data may be forwarded to third parties before consent. Browser scanning cannot verify downstream recipients; audit your GTM Server-side or CNAME configuration.
Unknown third-party request to www.google.com before consent
Unknown third-party request to arttrk.com before consent
Unknown third-party request to corp.ivo.assets.vgdynamic.info before consent
Unknown third-party request to pix.pontiac.media before consent
Unknown third-party request to corp.etm.assets.vgdynamic.info before consent
localStorage key "dummy" written before consent
localStorage key "ak_a" written before consent
sessionStorage key "com.adobe.reactor.core.visitorTracking.landingPage" written before consent
sessionStorage key "com.adobe.reactor.core.visitorTracking.trafficSource" written before consent
localStorage key "com.adobe.alloy.92CA3704532954400A490D44_AdobeOrg.consentHashes.Adobe.1.0" written before consent
sessionStorage key "di_tab_hash" written before consent
localStorage key "invoca_id" written before consent
sessionStorage key "_da_da_sessionId" written before consent
localStorage key "lastExternalReferrer" written before consent
Info6
Neutral observations — activity we detected that isn’t a violation but is useful context (e.g. essential cookies, CMP initialisation).
OneTrust CMP (OneTrust) loaded before consent: OneTrust geo-lookup — determines which consent banner to show based on user location
Google (cdn) loaded before consent
OneTrust cookie "OptanonConsent" set before consent
LinkedIn cookie "li_gc" set before consent — Used to store guest consent to the use of cookies for non-essential purposes
Akamai bot manager — necessary for site protection
Load balancer server affinity — necessary for infrastructure
Compliant1
Tags that fired only after the user gave consent — working as intended.
OneTrust cookie "OptanonAlertBoxClosed" set correctly after consent
Is this your site?
Run a full multi-page scan with monitoring and get detailed remediation steps
Scan vanguard.com →This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com