https://xm.com
Scanned Apr 15, 2026 · 32.6s
Your website score is
Grade
BannerConsent Banner
Yes
Regulatory Compliance
Multi-regulation overview — click any regulation for details
Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.
Tag Leak detected 32 user data leaks before consent on xm.com, including FullStory, VWO, GA4 and 3 more.
Security Headers
2/6 presentStrict-Transport-Security
max-age=15768000 ; preload
Content-Security-Policy
Add a Content-Security-Policy header to prevent XSS and code injection attacks
X-Frame-Options
Add X-Frame-Options header to prevent clickjacking attacks
X-Content-Type-Options
nosniff
Referrer-Policy
Set a Referrer-Policy header to control how much referrer information is shared
Permissions-Policy
Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation
Google Consent Mode
V2Consent Parameters
Issues (1)
analytics_storage defaults to "granted" — should default to "denied" for GDPR compliance
Post-Rejection Audit
Reject Button
Missing
Post-Rejection Fires
0 vendors
Consent Mode
Not Detected
GTM Load
968ms pre-consent
Google Tag Manager(GTM-KPSPFZ)
Loaded 968ms after page load — before the consent banner was detected (banner appeared at 9332ms). Per a 2022 German court ruling, GTM itself transmits the user's IP to Google pre-consent.
Consent Mode V2: Not Detected
Google Consent Mode was not detected on this site.
Consent Record Audit
Issues detectedConsent record stored after interaction
GDPR Art. 7(1)No consent record written — cannot prove consent was given
No CMP consent cookie or localStorage entry was found after the consent interaction. GDPR requires controllers to demonstrate consent was given.
Consent withdrawal mechanism accessible
GDPR Art. 7(3)No way for users to withdraw consent found on page
No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.
Why this matters
Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.
Tracker categories detected
Critical19
Google Analytics3 findingsID trackedregion1.google-analytics.com, _ga_P4EP81EM3L, _ga
region1.google-analytics.com, _ga_P4EP81EM3L, _ga
GA4 (Google) loaded before consent: Sends pageview and event data to Google Analytics
Google Analytics cookie "_ga_P4EP81EM3L" set before consent
Google Analytics cookie "_ga" set before consent
FullStory4 findingsedge.fullstory.com, rs.fullstory.com, fs_uid, _fs_tab_id
edge.fullstory.com, rs.fullstory.com, fs_uid, _fs_tab_id
FullStory (FullStory) loaded before consent: FullStory session recording and digital experience analytics
FullStory (FullStory) loaded before consent: FullStory session recording and digital experience analytics
FullStory cookie "fs_uid" set before consent
FullStory (FullStory) wrote "_fs_tab_id" to sessionStorage before consent
VWO7 findingsdev.visualwebsiteoptimizer.com, _vwo_uuid_v2, _vwo_uuid, _vis_opt_s, _vis_opt_test_cookie, _vwo_ds, _vwo_sn
dev.visualwebsiteoptimizer.com, _vwo_uuid_v2, _vwo_uuid, _vis_opt_s, _vis_opt_test_cookie, _vwo_ds, _vwo_sn
VWO (VWO) loaded before consent: VWO A/B testing and conversion optimization
VWO cookie "_vwo_uuid_v2" set before consent
VWO cookie "_vwo_uuid" set before consent
VWO cookie "_vis_opt_s" set before consent
VWO cookie "_vis_opt_test_cookie" set before consent
VWO cookie "_vwo_ds" set before consent
VWO cookie "_vwo_sn" set before consent
New Relic (analytics) loaded before consent
Wingify (analytics) loaded before consent
No "reject all" option found — users cannot refuse non-essential cookies (ICO guidance requires this)
No recognizable consent cookie or storage entry detected after interaction — GDPR Article 7(1) requires controllers to demonstrate consent was given (server-side storage cannot be verified)
No recognizable consent withdrawal mechanism detected — GDPR Article 7(3) requires users can withdraw consent as easily as giving it (cookie settings link or floating button expected)
Warnings16
Google Tag Manager2 findingsID trackedwww.googletagmanager.com
www.googletagmanager.com
Google Tag Manager loads before consent — this is expected and required for GCM v2 to initialise consent defaults before any tags fire
GTM loaded before consent banner — IP address transmitted to Google pre-consent (container: GTM-KPSPFZ)
Unknown was clicked but no consent storage was written — tags may continue firing as if consent was never given
Google Ads cookieless ping detected before consent — GCM v2 active with ad_storage and ad_user_data: denied. No user identifiers are collected in this request.
Unknown third-party request to cdn.moloco.com before consent
Unknown third-party request to cloud.xm-cdn.com before consent
localStorage key "vwoSn" written before consent
localStorage key "_vwo_1028869_config" written before consent
localStorage key "ss_incoming_params" written before consent
localStorage key "ss_webReferrer" written before consent
localStorage key "NRBA_SESSION" written before consent
localStorage key "_vwo_eventHistSession" written before consent
localStorage key "_vwo_eventHist" written before consent
localStorage key "_vwo_nls_q_1028869" written before consent
localStorage key "_vwo_eventHistLastSession" written before consent
localStorage key "_vwo_nlsCache" written before consent
Info5
New Relic (New Relic) loaded before consent: New Relic browser monitoring agent
Akamai cookie "AKA_A2" set before consent — Used for Akamai's Advanced Acceleration feature, intended to improve web performance
Akamai bot manager — necessary for site protection
Akamai bot management session — necessary for site protection
Akamai bot management — necessary for site protection
Compliant34
TikTok Pixel6 findingsID trackedanalytics.tiktok.com, analytics-ipv6.tiktokw.us, _ttp, tt_sessionId, tt_appInfo, tt_pixel_session_index
analytics.tiktok.com, analytics-ipv6.tiktokw.us, _ttp, tt_sessionId, tt_appInfo, tt_pixel_session_index
TikTok Pixel (TikTok) loaded correctly after consent
TikTok Pixel (TikTok) loaded correctly after consent
TikTok Pixel cookie "_ttp" set correctly after consent
TikTok Pixel (TikTok) wrote "tt_sessionId" to sessionStorage correctly after consent
TikTok Pixel (TikTok) wrote "tt_appInfo" to sessionStorage correctly after consent
TikTok Pixel (TikTok) wrote "tt_pixel_session_index" to sessionStorage correctly after consent
Microsoft Clarity2 findingsID trackedwww.clarity.ms, scripts.clarity.ms
www.clarity.ms, scripts.clarity.ms
Microsoft Clarity (Microsoft) loaded correctly after consent
Microsoft Clarity (Microsoft) loaded correctly after consent
Meta Pixel3 findingsID trackedwww.facebook.com, connect.facebook.net, _fbp
www.facebook.com, connect.facebook.net, _fbp
Meta Pixel (Meta) loaded correctly after consent
Meta Pixel (Meta) loaded correctly after consent
Meta Pixel cookie "_fbp" set correctly after consent
Twitter/X Pixel (X (Twitter)) loaded correctly after consent
Microsoft Ads3 findingsbat.bing.com, _uetsid, _uetvid
bat.bing.com, _uetsid, _uetvid
Microsoft Ads (Microsoft) loaded correctly after consent
Microsoft Ads cookie "_uetsid" set correctly after consent
Microsoft Ads cookie "_uetvid" set correctly after consent
Taboola5 findingscdn.taboola.com, trc.taboola.com, taboola_session_id, t_gid, t_pt_gid
cdn.taboola.com, trc.taboola.com, taboola_session_id, t_gid, t_pt_gid
Taboola (Taboola) loaded correctly after consent
Taboola (Taboola) loaded correctly after consent
Taboola cookie "taboola_session_id" set correctly after consent
Taboola cookie "t_gid" set correctly after consent
Taboola cookie "t_pt_gid" set correctly after consent
Google Ads4 findingswww.google.com, googleads.g.doubleclick.net, _gcl_au, _gcl_ls
www.google.com, googleads.g.doubleclick.net, _gcl_au, _gcl_ls
Google Ads (Google) loaded correctly after consent
Google Ads (Google) loaded correctly after consent
Google Ads cookie "_gcl_au" set correctly after consent
Google Ads (Google) wrote "_gcl_ls" to localStorage correctly after consent
DoubleClick/Google Marketing2 findingstest_cookie, IDE
test_cookie, IDE
DoubleClick/Google Marketing cookie "test_cookie" set correctly after consent
DoubleClick/Google Marketing cookie "IDE" set correctly after consent
X5 findingsmuc_ads, guest_id_marketing, guest_id_ads, personalization_id, guest_id
muc_ads, guest_id_marketing, guest_id_ads, personalization_id, guest_id
X cookie "muc_ads" set correctly after consent
X cookie "guest_id_marketing" set correctly after consent
X cookie "guest_id_ads" set correctly after consent
X cookie "personalization_id" set correctly after consent
X cookie "guest_id" set correctly after consent
Bing / Microsoft cookie "MUID" set correctly after consent
Adform cookie "uid" set correctly after consent
Criteo cookie "cto_bundle" set correctly after consent
Is this your site?
Run a full multi-page scan with monitoring and get detailed remediation steps
Scan xm.com →This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com