Wayfair Cookie Compliance Report

Wayfair

wayfair.com

Compare

https://wayfair.com

Scanned Apr 15, 2026 · 25.1s

Your website score is

0/100

Critical

Grade

BannerConsent Banner

Regulatory Compliance

Multi-regulation overview — click any regulation for details

Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.

Tag Leak detected 37 user data leaks before consent on wayfair.com, including Datadome (Tracker Tracker), HumanSecurity (Tracker Tracker), Human Security (Advertising Tracker) and 3 more.

Security Headers

3/6 present

Strict-Transport-Security

max-age=15552000; includeSubDomains; preload

Content-Security-Policy

frame-ancestors self https://*.wayfair.com https://*.wayfair.ca https://*.wayfair.co.uk https://*.wayfair.de https://*.wayfair.ie https://*.jossandmain.com https://*.allmodern.com https://*.birchlane.com https://*.perigold.com

X-Frame-Options

SAMEORIGIN

X-Content-Type-Options

Set X-Content-Type-Options to 'nosniff' to prevent MIME type sniffing

Referrer-Policy

Set a Referrer-Policy header to control how much referrer information is shared

Permissions-Policy

Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation

Google Consent Mode

Not Detected

Google Consent Mode v2 was not found on this page. GCM v2 allows Google's tags to adjust their behavior based on user consent, and is required for compliant advertising measurement in the EU. Without it, your Google Ads and GA4 conversions may be impacted after consent is declined.

Post-Rejection Audit

Reject Button

Missing

Post-Rejection Fires

0 vendors

Consent Mode

Not Detected

GTM Load

Not detected

Consent Mode V2: Not Detected

Google Consent Mode was not detected on this site.

Consent Record Audit

Issues detected

Consent record stored after interaction

GDPR Art. 7(1)

No consent record written — cannot prove consent was given

No CMP consent cookie or localStorage entry was found after the consent interaction. GDPR requires controllers to demonstrate consent was given.

Consent withdrawal mechanism accessible

GDPR Art. 7(3)

No way for users to withdraw consent found on page

No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.

Why this matters

Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.

Tracker categories detected

Advertising1 vendor

Analytics3 vendors

Security3

Functional2

Critical14

Datadome (Tracker Tracker)2 findings

js.datadome.co, api-js.datadome.co

criticalNetworkDatadome (Tracker Tracker)

Datadome (tracker) loaded before consent

Host: js.datadome.coFired: 693ms after load

criticalNetworkDatadome (Tracker Tracker)

Datadome (tracker) loaded before consent

Host: api-js.datadome.coFired: 5495ms after load

HumanSecurity (Tracker Tracker)2 findings

tzm.px-cloud.net, b.px-cdn.net

criticalNetworkHumanSecurity (Tracker Tracker)

HumanSecurity (tracker) loaded before consent

Host: tzm.px-cloud.netFired: 1201ms after load

criticalNetworkHumanSecurity (Tracker Tracker)

HumanSecurity (tracker) loaded before consent

Host: b.px-cdn.netFired: 1623ms after load

criticalNetworkAdvertisingHuman Security (Advertising Tracker)

Human Security (advertising) loaded before consent

Host: sonar.script.acFired: 1622ms after load

QuantumMetric (Analytics Tracker)2 findings

cdn.quantummetric.com, ingest.quantummetric.com

criticalNetworkAnalyticsQuantumMetric (Analytics Tracker)

QuantumMetric (analytics) loaded before consent

Host: cdn.quantummetric.comFired: 3183ms after load

criticalNetworkAnalyticsQuantumMetric (Analytics Tracker)

QuantumMetric (analytics) loaded before consent

Host: ingest.quantummetric.comFired: 4533ms after load

Conviva (Analytics Tracker)2 findings

rc.conviva.com, f45ac1494d8ec7ae20b6f6c2f572b986907dac62.appgw.conviva.com

criticalNetworkAnalyticsConviva (Analytics Tracker)

Conviva (analytics) loaded before consent

Host: rc.conviva.comFired: 3675ms after load

criticalNetworkAnalyticsConviva (Analytics Tracker)

Conviva (analytics) loaded before consent

Host: f45ac1494d8ec7ae20b6f6c2f572b986907dac62.appgw.conviva.comFired: 3743ms after load

criticalCookieAnalyticsLinkedIn

LinkedIn cookie "vid" set before consent — ID associated with a visitor to a LinkedIn microsite which is used to determine conversions for lead gen purposes

Cookie: vidDomain: .wayfair.comRetention: 1 year

criticalNetwork

No consent banner detected — all cookies and tags fire without user consent

criticalConsent

No "reject all" option found — users cannot refuse non-essential cookies (ICO guidance requires this)

criticalConsent Record

No recognizable consent cookie or storage entry detected after interaction — GDPR Article 7(1) requires controllers to demonstrate consent was given (server-side storage cannot be verified)

criticalConsent Record

No recognizable consent withdrawal mechanism detected — GDPR Article 7(3) requires users can withdraw consent as easily as giving it (cookie settings link or floating button expected)

Warnings26

warningNetwork

Unknown third-party request to assets.wfcdn.com before consent

Host: assets.wfcdn.comFired: 676ms after load

warningNetwork

Unknown third-party request to cdn02.taggstar.com before consent

Host: cdn02.taggstar.comFired: 693ms after load

warningNetwork

Unknown third-party request to api.us-east-2.taggstar.com before consent

Host: api.us-east-2.taggstar.comFired: 3290ms after load

warningNetwork

Unknown third-party request to secure.img1-fg.wfcdn.com before consent

Host: secure.img1-fg.wfcdn.comFired: 5342ms after load

warningStorage

localStorage key "tk_1776287646058" written before consent

Key: tk_1776287646058Type: localStorageFired: 1180ms after load

warningStorage

sessionStorage key "tk_1776287646067" written before consent

Key: tk_1776287646067Type: sessionStorageFired: 1189ms after load

warningStorage

localStorage key "PX3Vk96I6i_px-ff" written before consent

Key: PX3Vk96I6i_px-ffType: localStorageFired: 1195ms after load

warningStorage

localStorage key "PX3Vk96I6i_px_hvd" written before consent

Key: PX3Vk96I6i_px_hvdType: localStorageFired: 1567ms after load

warningStorage

sessionStorage key "pxsid" written before consent

Key: pxsidType: sessionStorageFired: 1575ms after load

warningStorage

sessionStorage key "px_tk_1776287646477" written before consent

Key: px_tk_1776287646477Type: sessionStorageFired: 1599ms after load

warningStorage

sessionStorage key "px_tk_1776287646482" written before consent

Key: px_tk_1776287646482Type: sessionStorageFired: 1604ms after load

warningStorage

sessionStorage key "px_0f98be47" written before consent

Key: px_0f98be47Type: sessionStorageFired: 1605ms after load

warningStorage

localStorage key "px_33df3rmnerrf5" written before consent

Key: px_33df3rmnerrf5Type: localStorageFired: 1670ms after load

warningStorage

localStorage key "__wfAuthLocalStorageFeatureDetect" written before consent

Key: __wfAuthLocalStorageFeatureDetectType: localStorageFired: 2573ms after load

warningStorage

localStorage key "lastRefreshedDateTime" written before consent

Key: lastRefreshedDateTimeType: localStorageFired: 2573ms after load

warningStorage

localStorage key "tokenExpirationEpochInSeconds" written before consent

Key: tokenExpirationEpochInSecondsType: localStorageFired: 2573ms after load

warningStorage

localStorage key "_taggstar_test" written before consent

Key: _taggstar_testType: localStorageFired: 3272ms after load

warningStorage

localStorage key "ConvivaVisualLabellingConfig" written before consent

Key: ConvivaVisualLabellingConfigType: localStorageFired: 3638ms after load

warningStorage

localStorage key "modernizr" written before consent

Key: modernizrType: localStorageFired: 3647ms after load

warningStorage

localStorage key "Conviva.sdkConfig" written before consent

Key: Conviva.sdkConfigType: localStorageFired: 3648ms after load

warningStorage

localStorage key "convivaOutQueue_CAT_post2.expires" written before consent

Key: convivaOutQueue_CAT_post2.expiresType: localStorageFired: 3667ms after load

warningStorage

localStorage key "convivaOutQueue_CAT_post2" written before consent

Key: convivaOutQueue_CAT_post2Type: localStorageFired: 3667ms after load

warningStorage

localStorage key "_taggstar_cfg_wayfaircom" written before consent

Key: _taggstar_cfg_wayfaircomType: localStorageFired: 3711ms after load

warningStorage

localStorage key "ConvivaRemoteConfig" written before consent

Key: ConvivaRemoteConfigType: localStorageFired: 3720ms after load

warningStorage

localStorage key "ConvivaSessionRecordingStarted" written before consent

Key: ConvivaSessionRecordingStartedType: localStorageFired: 3735ms after load

warningStorage

localStorage key "popup-debug-overlay.enabled" written before consent

Key: popup-debug-overlay.enabledType: localStorageFired: 3873ms after load

Info3

infoNetworkCloudflare (Cdn)

Cloudflare (cdn) loaded before consent

Host: cdnjs.cloudflare.comFired: 3870ms after load

infoCookieFunctional

DataDome bot protection — necessary for site security

Cookie: datadomeDomain: .wayfair.com

infoCookieFunctional

Cross-site request forgery token — security mechanism

Cookie: CSN_CSRFDomain: .wayfair.com

Is this your site?

Run a full multi-page scan with monitoring and get detailed remediation steps

Scan wayfair.com →

This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com