Open navigation menu
Guide
CMP verification for runtime consent behavior
CMP verification reviews whether the consent management platform's presented choices appear to line up with runtime tracking, cookie, and third-party request behavior.
Run a free website behavior scan
Check observable tracking, cookies, consent, accessibility, and privacy risk signals.
Direct answer
CMP verification helps review what happens in the browser before consent, after accept, and after reject where those interactions are observable.
It is complementary to CMP configuration. Runtime observations can surface drift between intended consent rules and live website behavior.
Signals to compare
Compare banner presence, available choices, request timing, cookie timing, vendor domains, and whether reject appears to reduce non-essential tracking.
A scan can surface evidence for review, but it should not be treated as proof of a legal outcome.
Operational use
Run checks after tag-manager changes, CMP template updates, marketing rollouts, and site redesigns.
Use repeated scans to watch for drift rather than relying on one point-in-time review.
Sample JSON
Sample finding JSON from scans
Representative payloads from retained scan examples for the finding types discussed on this page.
Third-party tracking observed before recorded consent
pre_consent_tracking_detected
Illustrative public evidence sample
Third-party tracking observed before recorded consent
pre_consent_tracking_detected
Illustrative public evidence sample
{
"example_type": "positive",
"domain": "example.com",
"requested_url": "https://example.com/",
"final_url": "https://example.com/",
"created_at": "2026-05-18T18:20:10.442Z",
"scanned_at": "2026-05-18T18:20:18.912Z",
"finding_id": "pre_consent_tracking_detected",
"finding_label": "Third-party tracking observed before recorded consent",
"section": "Privacy & Tracking",
"evidenceConfidence": "strong",
"directVsInferred": "direct_observation",
"evidence": {
"counts": {
"firstRequestMs": 1137,
"firstThirdPartyRequestMs": 3405,
"firstCookieSeenMs": 3468,
"total_cookie_count": 3,
"total_vendor_count": 2,
"total_request_count": 12,
"total_tracker_count": 1,
"third_party_cookie_count": 0,
"third_party_request_count": 2,
"preConsentTrackingRequestCount": 1,
"preConsentTrackingSignalCount": 2
},
"evidence_snippets": [
"Example Tag Manager",
"Example Analytics",
"tagmanager.example",
"analytics.example",
"script_host:tagmanager.example",
"request:https://analytics.example/g/collect [query_redacted=true]",
"cookie:_ga [value_redacted=true]"
],
"vendors": [
"Example Tag Manager",
"Example Analytics"
],
"request_domains": [
"tagmanager.example",
"analytics.example"
],
"request_samples": [
{
"artifactRef": "req_001",
"role": "supporting_context_only",
"origin": "https://tagmanager.example",
"path": "/gtm.js",
"queryRedacted": true,
"timestampMs": 1137
},
{
"artifactRef": "req_002",
"role": "finding_supporting_artifact",
"origin": "https://analytics.example",
"path": "/g/collect",
"queryRedacted": true,
"timestampMs": 3405,
"essentiality": "non_essential",
"purposeCategory": "analytics_measurement"
}
],
"cookie_samples": [
{
"artifactRef": "storage_001",
"role": "finding_supporting_artifact",
"name": "_ga",
"valueRedacted": true,
"timestampMs": 3468,
"essentiality": "non_essential",
"purposeCategory": "analytics_identifier"
}
],
"consent_summary": {
"cmp_vendor": "Example CMP",
"preconsent_tracking_detected": true,
"banner_present": true,
"consent_state_observed": "no_choice_observed",
"consent_action_observed_before_first_signal": false,
"observed_prior_consent_state_for_purpose": false
},
"fingerprinting_or_device_signals": {
"fingerprinting_vendor_detected": false,
"device_signal_vendor_detected": null
},
"runtime_anchors": [
"req_002:https://analytics.example/g/collect [query_redacted=true]",
"storage_001:_ga [value_redacted=true]"
]
},
"coverage_flags": [],
"known_limitations": [
"Illustrative public sample with redacted query strings and cookie values.",
"Review consent state, vendor purpose, regional configuration, and exemptions before taking action."
],
"selection_reason": "Illustrative public sample with consent timeline, classified non-essential runtime anchors, and usable coverage.",
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [
"req_002:https://analytics.example/g/collect [query_redacted=true]",
"storage_001:_ga [value_redacted=true]"
],
"requestSamples": [
{
"artifactRef": "req_001",
"role": "supporting_context_only",
"origin": "https://tagmanager.example",
"path": "/gtm.js",
"queryRedacted": true,
"timestampMs": 1137
},
{
"artifactRef": "req_002",
"role": "finding_supporting_artifact",
"origin": "https://analytics.example",
"path": "/g/collect",
"queryRedacted": true,
"timestampMs": 3405,
"essentiality": "non_essential",
"purposeCategory": "analytics_measurement"
}
],
"cookieOrStorageSamples": [
{
"artifactRef": "storage_001",
"role": "finding_supporting_artifact",
"name": "_ga",
"valueRedacted": true,
"timestampMs": 3468,
"essentiality": "non_essential",
"purposeCategory": "analytics_identifier"
}
],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Privacy & Tracking",
"criticality": "review",
"evidenceConfidence": "strong",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Classified non-essential request/storage before observed consent."
],
"highConfidenceRequires": [
"Usable coverage.",
"Purpose classification.",
"Runtime anchor."
],
"criticalOrTopRankingRequires": [
"Advertising/replay/identifier-sync or sensitive-surface context."
],
"demoteOrSuppressWhen": [
"Tag manager only.",
"Strict necessity.",
"Blocked scan.",
"Unreliable timing."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Illustrative public sample with consent timeline, classified non-essential runtime anchors, and usable coverage.",
"consentTimeline": {
"firstRequestMs": 1137,
"firstThirdPartyRequestMs": 3405,
"firstCookieSeenMs": 3468,
"consentActionObservedBeforeFirstSignal": false,
"consentStateBasis": "observed_scan_scope",
"manualReviewNeeded": true
},
"networkEvidence": {
"artifactRefs": [
{
"artifactRef": "req_001",
"role": "supporting_context_only",
"origin": "https://tagmanager.example",
"path": "/gtm.js",
"queryRedacted": true,
"timestampMs": 1137
},
{
"artifactRef": "req_002",
"role": "finding_supporting_artifact",
"origin": "https://analytics.example",
"path": "/g/collect",
"queryRedacted": true,
"timestampMs": 3405,
"essentiality": "non_essential",
"purposeCategory": "analytics_measurement"
}
],
"cookieOrStorageArtifacts": [
{
"artifactRef": "storage_001",
"role": "finding_supporting_artifact",
"name": "_ga",
"valueRedacted": true,
"timestampMs": 3468,
"essentiality": "non_essential",
"purposeCategory": "analytics_identifier"
}
],
"vendorCategory": "Example Tag Manager",
"queryStringsRedacted": true,
"valuesRedacted": true,
"manualReviewNeeded": true
}
}Non-essential tracking continued after reject
reject_tracking_persists_after_reject
Illustrative public evidence sample
Non-essential tracking continued after reject
reject_tracking_persists_after_reject
Illustrative public evidence sample
{
"finding_id": "reject_tracking_persists_after_reject",
"finding_label": "Non-essential tracking continued after reject",
"category": "Consent / tracking",
"criticality": "high",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"observed": "Retained runtime evidence showed a reject-style consent interaction followed by classified non-essential request or storage activity in the observed scan scope.",
"evidence": {
"summary": "Retained runtime evidence showed a reject-style consent interaction followed by classified non-essential request or storage activity in the observed scan scope.",
"examples": [
{
"title": "Post-reject runtime artifact",
"lines": [
"artifact=req_002",
"role=finding_supporting_artifact",
"url=https://example.com/",
"reject_action_timestamp_ms=2600",
"reject_action_observed=true",
"post_reject_request_timestamp_ms=4120",
"request_origin=https://analytics.example",
"request_path=/collect [query_redacted=true]",
"vendor_category=analytics",
"essentiality=non_essential",
"review_caveat=manual review should confirm reject success, queued-beacon timing, purpose, necessity, and CMP/vendor configuration"
]
}
],
"automationLimits": [
"Automated evidence may not fully determine reject success, queued beacons, vendor responsibility, consent validity, or legal status.",
"Manual review is needed to confirm timing, purpose, CMP propagation, and remediation quality."
]
},
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [],
"requestSamples": [],
"cookieOrStorageSamples": [],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Review signal",
"criticality": "high",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Reject interaction plus post-reject classified non-essential request/storage."
],
"highConfidenceRequires": [
"Reject success.",
"Pre/post sequence.",
"Artifact classification."
],
"criticalOrTopRankingRequires": [
"Post-reject advertising/replay/identifier sync or repeated post-reject artifacts."
],
"demoteOrSuppressWhen": [
"Reject button present but not clicked.",
"Unknown essentiality.",
"Queued pre-reject beacon likely."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Illustrative public sample selected to show retained evidence, directness, limits, and top-finding calibration.",
"consentTimeline": {
"firstRequestMs": null,
"firstThirdPartyRequestMs": null,
"firstCookieSeenMs": null,
"consentActionObservedBeforeFirstSignal": false,
"consentStateBasis": "observed_scan_scope",
"manualReviewNeeded": true
},
"networkEvidence": {
"artifactRefs": [],
"cookieOrStorageArtifacts": [],
"vendorCategory": "manual_review_recommended",
"queryStringsRedacted": true,
"valuesRedacted": true,
"manualReviewNeeded": true
}
}Third-party cookie or storage observed before consent
third_party_cookie_pre_consent
Illustrative public evidence sample
Third-party cookie or storage observed before consent
third_party_cookie_pre_consent
Illustrative public evidence sample
{
"finding_id": "third_party_cookie_pre_consent",
"finding_label": "Third-party cookie or storage observed before consent",
"category": "Cookies",
"criticality": "high",
"evidenceConfidence": "review_signal",
"directVsInferred": "direct_observation",
"observed": "Retained runtime evidence showed a third-party cookie or storage artifact observed before CertScore recorded a consent action or a prior consent state associated with that purpose.",
"evidence": {
"summary": "Retained runtime evidence showed a third-party cookie or storage artifact observed before CertScore recorded a consent action or a prior consent state associated with that purpose.",
"examples": [
{
"title": "Third-party cookie timing example",
"lines": [
"artifact=storage_001",
"role=finding_supporting_artifact",
"url=https://example.com/",
"type=cookie_observed",
"cookie_name=example_id",
"value_redacted=true",
"cookie_domain=.ads.example",
"cookie_scope=third_party",
"first_seen_ms=1840",
"consent_action_observed_before_first_seen=false",
"prior_consent_state_for_purpose=false",
"purpose_category=advertising_or_measurement [manual_review_recommended]"
]
}
],
"automationLimits": [
"Automated storage evidence may not determine purpose, necessity, exemption status, or legal status.",
"Manual review is needed to confirm cookie purpose, consent state, regional configuration, and remediation quality."
]
},
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [],
"requestSamples": [],
"cookieOrStorageSamples": [],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Review signal",
"criticality": "high",
"evidenceConfidence": "review_signal",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Third-party cookie/storage artifact before consent."
],
"highConfidenceRequires": [
"Domain/scope/timing plus purpose or vendor classification."
],
"criticalOrTopRankingRequires": [
"Advertising/identity/sync persistent storage or repeated pages."
],
"demoteOrSuppressWhen": [
"Request only.",
"Cookie name only.",
"Unknown timing.",
"Blocked scan."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Illustrative public sample selected to show retained evidence, directness, limits, and top-finding calibration.",
"consentTimeline": {
"firstRequestMs": null,
"firstThirdPartyRequestMs": null,
"firstCookieSeenMs": null,
"consentActionObservedBeforeFirstSignal": false,
"consentStateBasis": "observed_scan_scope",
"manualReviewNeeded": true
},
"networkEvidence": {
"artifactRefs": [],
"cookieOrStorageArtifacts": [],
"vendorCategory": "manual_review_recommended",
"queryStringsRedacted": true,
"valuesRedacted": true,
"manualReviewNeeded": true
}
}Summary for AI assistants
CMP verification for runtime consent behavior explains an observable public website review topic in CertScore.ai's evidence-backed scanning workflow.
CertScore.ai observes public website behavior around tracking, cookies, consent behavior, session replay indicators, fingerprinting-related signals, accessibility, and privacy disclosures. CertScore findings are automated risk signals for review and are not legal advice, certification, or compliance determinations.
Related CertScore pages
Run a free website behavior scan
Check observable tracking, cookies, consent, accessibility, and privacy risk signals.
CertScore.ai automated findings may contain errors. Always review the underlying evidence. CertScore.ai does not provide legal advice, certification, or compliance determinations.