GDPR website privacy signals from real browser behavior

What CertScore observes: Runtime evidence showed a classified non-essential tracking, analytics, advertising, cross-site measurement, or storage signal before CertScore observed a consent action or a prior consent state associated with that purpose.

Why it may matter for review: Runtime evidence showed a classified non-essential tracking, analytics, advertising, cross-site measurement, or storage signal before CertScore observed a consent action or a prior consent state associated with that purpose. This may be relevant to consent timing, cookie/tracker, storage, transparency, and user-choice review depending on jurisdiction, purpose, configuration, and exemptions.

What CertScore observes: Retained runtime evidence showed a reject-style consent interaction followed by classified non-essential request or storage activity in the observed scan scope.

Why it may matter for review: Retained runtime evidence showed post-reject request or storage signals that may be relevant to consent enforcement, cookie/tracker, storage/access, transparency, and vendor-governance review. Applicability depends on reject success, timing, purpose, consent state, necessity, exemptions, jurisdiction, and manual review.

What CertScore observes: Retained consent-surface evidence showed that a reject, decline, or equivalent refusal control was not observed on the initial consent layer, or appeared less directly available than the accept path within the observed scan scope.

Why it may matter for review: Retained consent-surface evidence showed refusal-control availability or path-depth signals, such as a refusal option not observed on the initial layer, nested behind another control, or presented through a less direct path. These signals may be relevant to consent, cookie/tracker, transparency, and choice-architecture review depending on jurisdiction, CMP configuration, equivalent choice paths, accessibility, and manual review.

What CertScore observes: Retained consent-surface evidence showed accept and refusal choices that appeared visually, procedurally, or structurally imbalanced within the observed scan scope.

Why it may matter for review: Retained consent-surface evidence showed visual, procedural, or structural choice-architecture signals that may be relevant to consent, cookie/tracker, transparency, accessibility, and consumer-protection review. Applicability depends on jurisdiction, region, purpose, CMP configuration, available choice paths, accessibility, user impact, and manual review.

What CertScore observes: Retained consent-surface evidence showed choice-architecture signals, such as control availability, path depth, visual hierarchy, forced interaction, or repeated prompting, that may require consent UX or consumer-protection review.

Why it may matter for review: Retained consent-surface evidence showed choice-architecture signals that may be relevant to consent, cookie/tracker, transparency, accessibility, consumer-protection, and privacy-claims review. Applicability depends on jurisdiction, region, purpose, CMP configuration, equivalent choice paths, public statements, accessibility, user impact, and manual review.

What CertScore observes: Retained outbound request evidence showed identifier-like keys or values moving to a different domain or third-party context within the observed scan scope.

Why it may matter for review: Retained outbound request evidence showed identifier-like cross-domain request patterns that may be relevant to tracking, advertising, analytics, attribution, consent, transparency, sale/share, and vendor-governance review. Applicability depends on identifier scope, purpose, destination role, consent state, jurisdiction, server-side behavior, and manual review.

What CertScore observes: Retained network evidence showed adtech, RTB, sync, match, redirect, or identifier-like request patterns that may be relevant to cookie/tracker, advertising, consent, transparency, sale/share, and vendor-governance review.

Why it may matter for review: Retained network evidence showed adtech, RTB, sync, match, redirect, or identifier-like request patterns that may be relevant to cookie/tracker, advertising, consent, transparency, sale/share, and vendor-governance review. Applicability depends on endpoint purpose, identifier scope, consent state, jurisdiction, vendor role, server-side behavior, and manual review.

What CertScore observes: Runtime evidence that may be relevant to privacy review.

Why it may matter for review: The retained evidence can help reviewers prioritize consent, cookie, tracking, disclosure, or data-protection questions.

What CertScore observes: Retained runtime evidence showed a script, request, or vendor pattern associated with session replay, heatmaps, recording, or behavior analytics in the observed public-page scope.

Why it may matter for review: Retained runtime evidence showed session replay, heatmap, recording, or behavior-analytics service signals that may be relevant to consent, transparency, minimization, security, sensitive-page exclusion, and vendor-governance review. Browser-visible evidence does not determine capture, retention, interception, or legal status.

What CertScore observes: Retained runtime and page-surface evidence showed session-replay-related signals on or near a form, flow, or page surface that may collect sensitive information.

Why it may matter for review: Retained runtime and page-surface evidence showed session-replay-related signals near a sensitive-input or sensitive-context surface that may be relevant to masking, consent, special-category or high-risk context, security, and vendor-governance review. Browser-visible evidence does not determine capture, retention, interception, or legal status.

What CertScore observes: Retained page and runtime evidence showed a sensitive-input or sensitive-context surface alongside third-party tracking, analytics, advertising, replay, or measurement context in the observed scan scope.

Why it may matter for review: Retained page and runtime evidence showed sensitive-input or sensitive-context signals alongside third-party tracking context that may be relevant to privacy, consent, minimization, sensitive-data, and vendor-governance review. Applicability depends on field purpose, payload contents, vendor role, consent state, jurisdiction, and manual review.

What CertScore observes: Retained runtime and public-surface evidence showed observed cookie, storage, vendor, or domain activity that was not clearly reflected in retained cookie-policy, CMP, or cookie-disclosure evidence in the scanned scope.

Why it may matter for review: Retained runtime cookie, storage, vendor, or domain evidence was compared with retained cookie-policy, CMP, preference-center, or privacy disclosure surfaces. This may be relevant to transparency, consent, purpose, retention, sale/share, opt-out, and vendor-governance review depending on jurisdiction, purpose, user region, and manual review.

What CertScore observes: Retained report evidence connected a public policy or disclosure claim to concrete runtime behavior, showed runtime third-party vendors/domains not clearly reflected in retained disclosure evidence, or retained consent-governance disclosure context as a supporting alignment review signal.

Why it may matter for review: Retained public policy, cookie, privacy, or downstream-sharing disclosure evidence was compared with concrete runtime behavior, vendor activity, consent flow, or disclosure-search evidence. This may be relevant to transparency, privacy claims, consent, sale/share, opt-out, retention, and vendor-governance review depending on jurisdiction, policy scope, user region, and manual review.