Finding reference

Cookie disclosure gap

Retained runtime and public-surface evidence showed observed cookie, storage, vendor, or domain activity that was not clearly reflected in retained cookie-policy, CMP, or cookie-disclosure evidence in the scanned scope. Review the evidence context, methodology, common causes, and reviewer questions for this CertScore finding.

Selected finding

Cookie disclosure gap

HighReview Signal evidenceCorrelated observationDisclosure gapsFormal top-finding density pending calibration

Benchmark frequency is directional market context only. It is not a compliance benchmark, legal conclusion, or severity score. Rare findings may be top-ranked only when retained evidence is strong; common findings may remain medium when evidence is automated or context-dependent. Rarity is not severity, and prevalence is not compliance risk.

Observed

Why this matters

This observation can help reviewers decide whether the site behavior deserves deeper privacy, accessibility, consent, or consumer-protection review in context.

Detection methodology

CertScore compares retained runtime cookie/storage observations with retained public cookie-policy, privacy-policy, CMP, preference-center, and disclosure evidence where available. This finding is surfaced when observed cookie activity is not clearly covered by the retained disclosure evidence, such as missing provider, purpose, category, or cookie-family coverage. Supporting consent-governance disclosure context may note whether retained public materials clearly explain how consent choices can be changed, withdrawn, retained, renewed, or managed when runtime consent relevance is present. CertScore treats cookie-disclosure gaps as review signals. The scanner does not determine legal adequacy, completeness, applicability, or compliance status. Reviewers should consider cookie purpose, provider ownership, retention, policy version, regional disclosure variants, CMP cookie tables, and whether coverage limitations prevented CertScore from reaching the relevant disclosure surface.

Confidence semantics: Good when retained runtime cookie/storage evidence is compared against retained cookie-policy, CMP, or disclosure evidence and the mismatch is explicit; stronger when retained evidence includes cookie name or family, domain or provider, purpose/category, disclosure surface URL, reached-surface evidence, and coverage context. The runtime_vendor_not_disclosed subtype may support this parent when observed cookie/storage vendors or domains are not clearly reflected in retained disclosure evidence. Manual review is still needed for policy scope, regional variants, provider ownership, legal review, and remediation quality.

Top-finding calibrationWhat must be retained to surface, top-rank, demote, or suppress this finding.

Minimum to surface

Runtime cookie/storage activity plus retained cookie-policy, CMP, or disclosure evidence that does not clearly reflect the observed cookie, vendor, or domain.

High confidence requires

Cookie/domain/category evidence.
Reached policy or cookie-disclosure surface.
Clear mismatch rationale.
Retained runtime-vendor disclosure evidence where the subtype is used.
Consent-governance gaps remain supporting context unless corroborated by runtime consent evidence.

Top ranking requires

Advertising, analytics, identity, sync, persistent storage, or other promotion-grade runtime vendor/domain evidence with a disclosure alignment mismatch.

Demote or suppress when

Cookie count only.
Policy page not reached.
Blocked scan.
Mismatch not tied to a retained runtime cookie artifact.

These rules describe ranking calibration for already-projected findings. They do not create findings from raw signals.

Example evidence

Cookie disclosure mismatch example

artifact=cookie_disclosure_001
role=finding_supporting_artifact
subtype=runtime_vendor_not_disclosed
url=https://example.com/
runtime_cookie_name=example_id
runtime_cookie_domain=.ads.example
runtime_cookie_value_retained=false
possible_provider=Example Ads
possible_category=advertising_or_measurement
observed_runtime_domains=ads.example
unmatched_runtime_domains=ads.example
policy_surface_type=cookie_policy
policy_surface_reached=true
cookie_policy_url=https://example.com/cookie-policy
observed_policy_coverage=provider_or_cookie_family_not_found
mismatch_rationale=observed runtime vendor/domain did not clearly match retained cookie disclosure evidence
review_caveat=manual review should confirm provider ownership, purpose, retention, regional disclosure variants, and legal review

Review context

runtime_cookie_artifact_present=true
disclosure_surface_scanned=true
policy_surfaces_searched=[cookie_policy]
cmp_cookie_table_observed=manual_review_recommended
values_redacted=true
coverage_status=usable
evidence_confidence=moderate_or_strong
manual_review_needed=true

What should not count by itself

cookie_count=12 [insufficient_without_named_runtime_artifact]
policy_page_missing [audit_only_without_runtime_cookie_context]
cookie_name=example_id [insufficient_without_disclosure_comparison]
legal_review_claim [not_determined_by_automated_scan]

View redacted sample JSON

Redacted sample JSON

{
  "findingId": "cookie_disclosure_gap",
  "label": "Cookie disclosure gap",
  "category": "Disclosure gaps",
  "criticality": "high",
  "evidenceConfidence": "review_signal",
  "directVsInferred": "correlated_observation",
  "evidence": {
    "summary": "Retained runtime and public-surface evidence showed observed cookie, storage, vendor, or domain activity that was not clearly reflected in retained cookie-policy, CMP, or cookie-disclosure evidence in the scanned scope.",
    "examples": [
      {
        "title": "Cookie disclosure mismatch example",
        "lines": [
          "artifact=cookie_disclosure_001",
          "role=finding_supporting_artifact",
          "subtype=runtime_vendor_not_disclosed",
          "url=https://example.com/",
          "runtime_cookie_name=example_id",
          "runtime_cookie_domain=.ads.example",
          "runtime_cookie_value_retained=false",
          "possible_provider=Example Ads",
          "possible_category=advertising_or_measurement",
          "observed_runtime_domains=ads.example",
          "unmatched_runtime_domains=ads.example",
          "policy_surface_type=cookie_policy",
          "policy_surface_reached=true",
          "cookie_policy_url=https://example.com/cookie-policy",
          "observed_policy_coverage=provider_or_cookie_family_not_found",
          "mismatch_rationale=observed runtime vendor/domain did not clearly match retained cookie disclosure evidence",
          "review_caveat=manual review should confirm provider ownership, purpose, retention, regional disclosure variants, and legal review"
        ]
      },
      {
        "title": "Review context",
        "lines": [
          "runtime_cookie_artifact_present=true",
          "disclosure_surface_scanned=true",
          "policy_surfaces_searched=[cookie_policy]",
          "cmp_cookie_table_observed=manual_review_recommended",
          "values_redacted=true",
          "coverage_status=usable",
          "evidence_confidence=moderate_or_strong",
          "manual_review_needed=true"
        ]
      },
      {
        "title": "What should not count by itself",
        "lines": [
          "cookie_count=12 [insufficient_without_named_runtime_artifact]",
          "policy_page_missing [audit_only_without_runtime_cookie_context]",
          "cookie_name=example_id [insufficient_without_disclosure_comparison]",
          "legal_review_claim [not_determined_by_automated_scan]"
        ]
      }
    ]
  }
}

Regulatory review context

Cookie transparency and disclosure alignment review

Retained runtime cookie, storage, vendor, or domain evidence was compared with retained cookie-policy, CMP, preference-center, or privacy disclosure surfaces. This may be relevant to transparency, consent, purpose, retention, sale/share, opt-out, and vendor-governance review depending on jurisdiction, purpose, user region, and manual review.

ePrivacy cookie information and consent reviewGDPR transparency, purpose, and retention reviewCCPA/CPRA cookie, vendor, and retention disclosure reviewEU GDPR/ePrivacy cookie disclosure reviewUK PECR / ICO cookie transparency reviewCCPA/CPRA cookie disclosure and sale/share review

View applicability notes

Legal and regulatory frameworks

ePrivacy cookie information and consent reviewCookies, local storage, or similar technologies are observed and public cookie information or consent surfaces may need disclosure-alignment review.
GDPR transparency, purpose, and retention reviewCookie identifiers, online identifiers, analytics, advertising, or vendor disclosures may involve personal data or profiling depending on purpose and linkage.
CCPA/CPRA cookie, vendor, and retention disclosure reviewCalifornia users, persistent identifiers, advertising/analytics cookies, or cross-context behavioral advertising context may be relevant to categories, purposes, retention, sale/share, or opt-out disclosure review.

Jurisdictional contexts

EU GDPR/ePrivacy cookie disclosure reviewEU/EEA users and cookies, storage, analytics, advertising, or vendor disclosure surfaces may be in scope depending on purpose, consent state, and manual review.
UK PECR / ICO cookie transparency reviewUK users and cookie or similar-technology disclosures may be in scope depending on purpose, consent state, and manual review.
CCPA/CPRA cookie disclosure and sale/share reviewCalifornia users and observed advertising, analytics, persistent identifiers, or vendor activity may be relevant to disclosure, retention, sale/share, or opt-out review.

This finding does not determine legal status, disclosure adequacy, consent validity, sale/share status, or compliance status. Review retained runtime cookie/storage evidence, provider ownership, purpose, retention, policy versions, regional variants, CMP tables, and coverage limitations.

Evidence standard

Strong

Retained runtime evidence includes concrete cookie or storage artifacts with name or family, domain or provider context, category where available, and values redacted or omitted.
Retained public-surface evidence includes cookie-policy, privacy-policy, CMP, or disclosure coverage that was inspected during the scan.
Evidence identifies the mismatch between observed cookie behavior and retained disclosure coverage without relying on cookie counts alone.
Coverage context indicates the relevant public disclosure surface was not materially blocked, missing, or unreliable.
The finding does not claim legal adequacy or compliance status without manual review.

Good

Retained evidence shows runtime cookie activity and a plausible disclosure mismatch, but provider naming, category mapping, regional policy variants, or coverage completeness requires manual review.
The retained example is enough for a reviewer to compare runtime cookies with policy or CMP disclosure text manually.
The evidence is likely relevant to transparency and disclosure review, but legal adequacy, policy completeness, and applicability require manual review.

Audit-only

Cookie activity exists, but retained policy or disclosure coverage is incomplete.
A policy page exists, but the scan did not retain enough cookie-table or provider context to compare it with runtime cookies.
Provider or category names differ, but no retained runtime cookie artifact supports the mismatch.

Insufficient

Cookie count alone.
Cookie name alone without domain, provider, timing, or disclosure comparison.
Policy text alone without retained runtime cookie evidence.
Blocked or degraded scans where disclosure coverage cannot be trusted.
Claims about legal status, compliance status, or disclosure sufficiency based only on automated evidence.

Evidence levels explain how CertScore treats retained review artifacts. They are not legal conclusions.

Common causes

Cookie policy tables are maintained separately from live tag-manager or CMP configuration.
New analytics, advertising, replay, or measurement vendors were added without updating cookie disclosures.
Cookie categories, providers, or retention periods differ between runtime behavior and policy copy.
Regional cookie banners and global policy pages expose different provider lists.
Runtime cookies are set by embedded third parties whose provider names are not reflected in the disclosure surface.

Limitations and cautions

This finding is an automated cookie-disclosure review signal, not a legal conclusion, certification, compliance determination, or determination that a policy is legally insufficient.
Automated evidence can compare retained runtime cookie activity with retained disclosure coverage, but it may miss regional cookie tables, CMP preference-center details, or policy content loaded after interaction.
Provider names, cookie families, purposes, and categories may differ across vendor documentation, CMP labels, policy pages, and browser-visible cookies.
Manual review is needed to confirm policy scope, provider ownership, purpose mapping, retention, regional variants, and remediation quality.
Blocked, interrupted, or content-degraded scans may limit disclosure coverage and should not be treated as clean or complete.
CertScore redacts or avoids retaining cookie values, query strings, and sensitive payloads while preserving stable anchors needed for review.
Automated findings may contain errors and should be reviewed with the retained evidence.
Not detected means not observed in the scan scope; it is not proof of absence.
Findings are runtime evidence and public-surface observations for review, not legal conclusions.

Reference notes

CertScore uses findings, evidence, signals, and observations consistently: signals are raw runtime or page-surface events, evidence is retained support, observations are interpreted evidence context, and findings are promoted review items.
Findings are runtime evidence and public-surface observations for review. Observed signals may surface possible concerns, but review is recommended before operational or legal reliance.
Finding reference content is reviewed periodically and updated when material guidance changes. CertScore monitors guidance families such as EDPB consent and ePrivacy materials, ICO cookie guidance, CNIL tracker recommendations, FTC privacy and dark-pattern materials, and relevant accessibility guidance where applicable.
EDPB consent guidance is relevant to consent quality and affirmative indication where consent is relied upon.
EU ePrivacy cookie/tracker principles are relevant to storing information or gaining access to information on user terminal equipment.
ICO cookie and similar technologies guidance is relevant to active consent, clear explanation, and essential-cookie exceptions.
CNIL cookie/tracker and analytics guidance is relevant to tracker consent and limited analytics exemptions.
FTC dark-pattern and commercial-surveillance materials may be relevant to hidden tracking or unclear user-choice review, but this finding does not determine deception, unfairness, or legal status.
Prevalence labels use the Tranco top 1-2500 calibration set, an approximately 2,505-scan directional calibration set.

Cookie disclosure gap