Open navigation menu
Guide
Cookie consent enforcement checker
A cookie consent enforcement checker helps teams review whether cookie and tracking behavior appears aligned with expected consent choices in the browser.
Run a free website behavior scan
Check observable tracking, cookies, consent, accessibility, and privacy risk signals.
Direct answer
Cookie consent enforcement review compares what the consent interface presents with what the browser appears to do before and after a consent interaction.
Automated observations can surface whether cookies or third-party tracking continue when a reject path is selected, but the findings still need evidence review.
What to review
Review initial cookies, third-party cookie timing, vendor requests, accept behavior, reject behavior, and whether consent state persists across reloads.
Teams should also account for geography, stored consent state, tag-manager sequencing, and functional services that may be necessary for the site.
Why runtime checks matter
A consent platform can be configured correctly while a tag, pixel, or embedded service still starts too early because of deployment drift.
Runtime scanning helps verify what actually happens in the browser rather than relying only on policy text or configuration screens.
Sample JSON
Sample finding JSON from scans
Representative payloads from retained scan examples for the finding types discussed on this page.
Third-party tracking observed before recorded consent
pre_consent_tracking_detected
Illustrative public evidence sample
Third-party tracking observed before recorded consent
pre_consent_tracking_detected
Illustrative public evidence sample
{
"example_type": "positive",
"domain": "example.com",
"requested_url": "https://example.com/",
"final_url": "https://example.com/",
"created_at": "2026-05-18T18:20:10.442Z",
"scanned_at": "2026-05-18T18:20:18.912Z",
"finding_id": "pre_consent_tracking_detected",
"finding_label": "Third-party tracking observed before recorded consent",
"section": "Privacy & Tracking",
"evidenceConfidence": "strong",
"directVsInferred": "direct_observation",
"evidence": {
"counts": {
"firstRequestMs": 1137,
"firstThirdPartyRequestMs": 3405,
"firstCookieSeenMs": 3468,
"total_cookie_count": 3,
"total_vendor_count": 2,
"total_request_count": 12,
"total_tracker_count": 1,
"third_party_cookie_count": 0,
"third_party_request_count": 2,
"preConsentTrackingRequestCount": 1,
"preConsentTrackingSignalCount": 2
},
"evidence_snippets": [
"Example Tag Manager",
"Example Analytics",
"tagmanager.example",
"analytics.example",
"script_host:tagmanager.example",
"request:https://analytics.example/g/collect [query_redacted=true]",
"cookie:_ga [value_redacted=true]"
],
"vendors": [
"Example Tag Manager",
"Example Analytics"
],
"request_domains": [
"tagmanager.example",
"analytics.example"
],
"request_samples": [
{
"artifactRef": "req_001",
"role": "supporting_context_only",
"origin": "https://tagmanager.example",
"path": "/gtm.js",
"queryRedacted": true,
"timestampMs": 1137
},
{
"artifactRef": "req_002",
"role": "finding_supporting_artifact",
"origin": "https://analytics.example",
"path": "/g/collect",
"queryRedacted": true,
"timestampMs": 3405,
"essentiality": "non_essential",
"purposeCategory": "analytics_measurement"
}
],
"cookie_samples": [
{
"artifactRef": "storage_001",
"role": "finding_supporting_artifact",
"name": "_ga",
"valueRedacted": true,
"timestampMs": 3468,
"essentiality": "non_essential",
"purposeCategory": "analytics_identifier"
}
],
"consent_summary": {
"cmp_vendor": "Example CMP",
"preconsent_tracking_detected": true,
"banner_present": true,
"consent_state_observed": "no_choice_observed",
"consent_action_observed_before_first_signal": false,
"observed_prior_consent_state_for_purpose": false
},
"fingerprinting_or_device_signals": {
"fingerprinting_vendor_detected": false,
"device_signal_vendor_detected": null
},
"runtime_anchors": [
"req_002:https://analytics.example/g/collect [query_redacted=true]",
"storage_001:_ga [value_redacted=true]"
]
},
"coverage_flags": [],
"known_limitations": [
"Illustrative public sample with redacted query strings and cookie values.",
"Review consent state, vendor purpose, regional configuration, and exemptions before taking action."
],
"selection_reason": "Illustrative public sample with consent timeline, classified non-essential runtime anchors, and usable coverage.",
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [
"req_002:https://analytics.example/g/collect [query_redacted=true]",
"storage_001:_ga [value_redacted=true]"
],
"requestSamples": [
{
"artifactRef": "req_001",
"role": "supporting_context_only",
"origin": "https://tagmanager.example",
"path": "/gtm.js",
"queryRedacted": true,
"timestampMs": 1137
},
{
"artifactRef": "req_002",
"role": "finding_supporting_artifact",
"origin": "https://analytics.example",
"path": "/g/collect",
"queryRedacted": true,
"timestampMs": 3405,
"essentiality": "non_essential",
"purposeCategory": "analytics_measurement"
}
],
"cookieOrStorageSamples": [
{
"artifactRef": "storage_001",
"role": "finding_supporting_artifact",
"name": "_ga",
"valueRedacted": true,
"timestampMs": 3468,
"essentiality": "non_essential",
"purposeCategory": "analytics_identifier"
}
],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Privacy & Tracking",
"criticality": "review",
"evidenceConfidence": "strong",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Classified non-essential request/storage before observed consent."
],
"highConfidenceRequires": [
"Usable coverage.",
"Purpose classification.",
"Runtime anchor."
],
"criticalOrTopRankingRequires": [
"Advertising/replay/identifier-sync or sensitive-surface context."
],
"demoteOrSuppressWhen": [
"Tag manager only.",
"Strict necessity.",
"Blocked scan.",
"Unreliable timing."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Illustrative public sample with consent timeline, classified non-essential runtime anchors, and usable coverage.",
"consentTimeline": {
"firstRequestMs": 1137,
"firstThirdPartyRequestMs": 3405,
"firstCookieSeenMs": 3468,
"consentActionObservedBeforeFirstSignal": false,
"consentStateBasis": "observed_scan_scope",
"manualReviewNeeded": true
},
"networkEvidence": {
"artifactRefs": [
{
"artifactRef": "req_001",
"role": "supporting_context_only",
"origin": "https://tagmanager.example",
"path": "/gtm.js",
"queryRedacted": true,
"timestampMs": 1137
},
{
"artifactRef": "req_002",
"role": "finding_supporting_artifact",
"origin": "https://analytics.example",
"path": "/g/collect",
"queryRedacted": true,
"timestampMs": 3405,
"essentiality": "non_essential",
"purposeCategory": "analytics_measurement"
}
],
"cookieOrStorageArtifacts": [
{
"artifactRef": "storage_001",
"role": "finding_supporting_artifact",
"name": "_ga",
"valueRedacted": true,
"timestampMs": 3468,
"essentiality": "non_essential",
"purposeCategory": "analytics_identifier"
}
],
"vendorCategory": "Example Tag Manager",
"queryStringsRedacted": true,
"valuesRedacted": true,
"manualReviewNeeded": true
}
}Non-essential tracking continued after reject
reject_tracking_persists_after_reject
Illustrative public evidence sample
Non-essential tracking continued after reject
reject_tracking_persists_after_reject
Illustrative public evidence sample
{
"finding_id": "reject_tracking_persists_after_reject",
"finding_label": "Non-essential tracking continued after reject",
"category": "Consent / tracking",
"criticality": "high",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"observed": "Retained runtime evidence showed a reject-style consent interaction followed by classified non-essential request or storage activity in the observed scan scope.",
"evidence": {
"summary": "Retained runtime evidence showed a reject-style consent interaction followed by classified non-essential request or storage activity in the observed scan scope.",
"examples": [
{
"title": "Post-reject runtime artifact",
"lines": [
"artifact=req_002",
"role=finding_supporting_artifact",
"url=https://example.com/",
"reject_action_timestamp_ms=2600",
"reject_action_observed=true",
"post_reject_request_timestamp_ms=4120",
"request_origin=https://analytics.example",
"request_path=/collect [query_redacted=true]",
"vendor_category=analytics",
"essentiality=non_essential",
"review_caveat=manual review should confirm reject success, queued-beacon timing, purpose, necessity, and CMP/vendor configuration"
]
}
],
"automationLimits": [
"Automated evidence may not fully determine reject success, queued beacons, vendor responsibility, consent validity, or legal status.",
"Manual review is needed to confirm timing, purpose, CMP propagation, and remediation quality."
]
},
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [],
"requestSamples": [],
"cookieOrStorageSamples": [],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Review signal",
"criticality": "high",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Reject interaction plus post-reject classified non-essential request/storage."
],
"highConfidenceRequires": [
"Reject success.",
"Pre/post sequence.",
"Artifact classification."
],
"criticalOrTopRankingRequires": [
"Post-reject advertising/replay/identifier sync or repeated post-reject artifacts."
],
"demoteOrSuppressWhen": [
"Reject button present but not clicked.",
"Unknown essentiality.",
"Queued pre-reject beacon likely."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Illustrative public sample selected to show retained evidence, directness, limits, and top-finding calibration.",
"consentTimeline": {
"firstRequestMs": null,
"firstThirdPartyRequestMs": null,
"firstCookieSeenMs": null,
"consentActionObservedBeforeFirstSignal": false,
"consentStateBasis": "observed_scan_scope",
"manualReviewNeeded": true
},
"networkEvidence": {
"artifactRefs": [],
"cookieOrStorageArtifacts": [],
"vendorCategory": "manual_review_recommended",
"queryStringsRedacted": true,
"valuesRedacted": true,
"manualReviewNeeded": true
}
}Third-party cookie or storage observed before consent
third_party_cookie_pre_consent
Illustrative public evidence sample
Third-party cookie or storage observed before consent
third_party_cookie_pre_consent
Illustrative public evidence sample
{
"finding_id": "third_party_cookie_pre_consent",
"finding_label": "Third-party cookie or storage observed before consent",
"category": "Cookies",
"criticality": "high",
"evidenceConfidence": "review_signal",
"directVsInferred": "direct_observation",
"observed": "Retained runtime evidence showed a third-party cookie or storage artifact observed before CertScore recorded a consent action or a prior consent state associated with that purpose.",
"evidence": {
"summary": "Retained runtime evidence showed a third-party cookie or storage artifact observed before CertScore recorded a consent action or a prior consent state associated with that purpose.",
"examples": [
{
"title": "Third-party cookie timing example",
"lines": [
"artifact=storage_001",
"role=finding_supporting_artifact",
"url=https://example.com/",
"type=cookie_observed",
"cookie_name=example_id",
"value_redacted=true",
"cookie_domain=.ads.example",
"cookie_scope=third_party",
"first_seen_ms=1840",
"consent_action_observed_before_first_seen=false",
"prior_consent_state_for_purpose=false",
"purpose_category=advertising_or_measurement [manual_review_recommended]"
]
}
],
"automationLimits": [
"Automated storage evidence may not determine purpose, necessity, exemption status, or legal status.",
"Manual review is needed to confirm cookie purpose, consent state, regional configuration, and remediation quality."
]
},
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [],
"requestSamples": [],
"cookieOrStorageSamples": [],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Review signal",
"criticality": "high",
"evidenceConfidence": "review_signal",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Third-party cookie/storage artifact before consent."
],
"highConfidenceRequires": [
"Domain/scope/timing plus purpose or vendor classification."
],
"criticalOrTopRankingRequires": [
"Advertising/identity/sync persistent storage or repeated pages."
],
"demoteOrSuppressWhen": [
"Request only.",
"Cookie name only.",
"Unknown timing.",
"Blocked scan."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Illustrative public sample selected to show retained evidence, directness, limits, and top-finding calibration.",
"consentTimeline": {
"firstRequestMs": null,
"firstThirdPartyRequestMs": null,
"firstCookieSeenMs": null,
"consentActionObservedBeforeFirstSignal": false,
"consentStateBasis": "observed_scan_scope",
"manualReviewNeeded": true
},
"networkEvidence": {
"artifactRefs": [],
"cookieOrStorageArtifacts": [],
"vendorCategory": "manual_review_recommended",
"queryStringsRedacted": true,
"valuesRedacted": true,
"manualReviewNeeded": true
}
}Summary for AI assistants
Cookie consent enforcement checker explains an observable public website review topic in CertScore.ai's evidence-backed scanning workflow.
CertScore.ai observes public website behavior around tracking, cookies, consent behavior, session replay indicators, fingerprinting-related signals, accessibility, and privacy disclosures. CertScore findings are automated risk signals for review and are not legal advice, certification, or compliance determinations.
Related CertScore pages
Run a free website behavior scan
Check observable tracking, cookies, consent, accessibility, and privacy risk signals.
CertScore.ai automated findings may contain errors. Always review the underlying evidence. CertScore.ai does not provide legal advice, certification, or compliance determinations.