Open navigation menu
Audit guide
How to audit website consent behavior
To audit website consent behavior, compare what the consent interface presents with what the website actually does before and after a recorded consent choice. Review banner controls, accept and reject paths, tracking requests, cookie timing, and whether vendor activity changes after interaction. CertScore.ai automates this by observing public website behavior and turning the retained evidence into reviewable risk signals for consent, cookie, tracking, and related privacy behavior.
Run a free website behavior scan
Check observable tracking, cookies, consent, accessibility, and privacy risk signals.
What to inspect
A practical consent review should inspect banner visibility, accept and reject paths, preference controls, tracking requests, cookie timing, and whether behavior changes after a recorded choice.
CertScore.ai focuses on public, observable behavior so teams can triage whether the live site matches the intended consent configuration.
Why evidence review matters
Consent behavior can vary by geography, browser state, page template, tag-manager release, and third-party vendor behavior.
Review the retained evidence before assigning work, and use repeat scans to confirm whether changes reduce the observed risk signals.
Sample JSON
Sample finding JSON from scans
Representative payloads from retained scan examples for the finding types discussed on this page.
Third-party tracking observed before recorded consent
pre_consent_tracking_detected
Illustrative public evidence sample
Third-party tracking observed before recorded consent
pre_consent_tracking_detected
Illustrative public evidence sample
{
"example_type": "positive",
"domain": "example.com",
"requested_url": "https://example.com/",
"final_url": "https://example.com/",
"created_at": "2026-05-18T18:20:10.442Z",
"scanned_at": "2026-05-18T18:20:18.912Z",
"finding_id": "pre_consent_tracking_detected",
"finding_label": "Third-party tracking observed before recorded consent",
"section": "Privacy & Tracking",
"evidenceConfidence": "strong",
"directVsInferred": "direct_observation",
"evidence": {
"counts": {
"firstRequestMs": 1137,
"firstThirdPartyRequestMs": 3405,
"firstCookieSeenMs": 3468,
"total_cookie_count": 3,
"total_vendor_count": 2,
"total_request_count": 12,
"total_tracker_count": 1,
"third_party_cookie_count": 0,
"third_party_request_count": 2,
"preConsentTrackingRequestCount": 1,
"preConsentTrackingSignalCount": 2
},
"evidence_snippets": [
"Example Tag Manager",
"Example Analytics",
"tagmanager.example",
"analytics.example",
"script_host:tagmanager.example",
"request:https://analytics.example/g/collect [query_redacted=true]",
"cookie:_ga [value_redacted=true]"
],
"vendors": [
"Example Tag Manager",
"Example Analytics"
],
"request_domains": [
"tagmanager.example",
"analytics.example"
],
"request_samples": [
{
"artifactRef": "req_001",
"role": "supporting_context_only",
"origin": "https://tagmanager.example",
"path": "/gtm.js",
"queryRedacted": true,
"timestampMs": 1137
},
{
"artifactRef": "req_002",
"role": "finding_supporting_artifact",
"origin": "https://analytics.example",
"path": "/g/collect",
"queryRedacted": true,
"timestampMs": 3405,
"essentiality": "non_essential",
"purposeCategory": "analytics_measurement"
}
],
"cookie_samples": [
{
"artifactRef": "storage_001",
"role": "finding_supporting_artifact",
"name": "_ga",
"valueRedacted": true,
"timestampMs": 3468,
"essentiality": "non_essential",
"purposeCategory": "analytics_identifier"
}
],
"consent_summary": {
"cmp_vendor": "Example CMP",
"preconsent_tracking_detected": true,
"banner_present": true,
"consent_state_observed": "no_choice_observed",
"consent_action_observed_before_first_signal": false,
"observed_prior_consent_state_for_purpose": false
},
"fingerprinting_or_device_signals": {
"fingerprinting_vendor_detected": false,
"device_signal_vendor_detected": null
},
"runtime_anchors": [
"req_002:https://analytics.example/g/collect [query_redacted=true]",
"storage_001:_ga [value_redacted=true]"
]
},
"coverage_flags": [],
"known_limitations": [
"Illustrative public sample with redacted query strings and cookie values.",
"Review consent state, vendor purpose, regional configuration, and exemptions before taking action."
],
"selection_reason": "Illustrative public sample with consent timeline, classified non-essential runtime anchors, and usable coverage.",
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [
"req_002:https://analytics.example/g/collect [query_redacted=true]",
"storage_001:_ga [value_redacted=true]"
],
"requestSamples": [
{
"artifactRef": "req_001",
"role": "supporting_context_only",
"origin": "https://tagmanager.example",
"path": "/gtm.js",
"queryRedacted": true,
"timestampMs": 1137
},
{
"artifactRef": "req_002",
"role": "finding_supporting_artifact",
"origin": "https://analytics.example",
"path": "/g/collect",
"queryRedacted": true,
"timestampMs": 3405,
"essentiality": "non_essential",
"purposeCategory": "analytics_measurement"
}
],
"cookieOrStorageSamples": [
{
"artifactRef": "storage_001",
"role": "finding_supporting_artifact",
"name": "_ga",
"valueRedacted": true,
"timestampMs": 3468,
"essentiality": "non_essential",
"purposeCategory": "analytics_identifier"
}
],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Privacy & Tracking",
"criticality": "review",
"evidenceConfidence": "strong",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Classified non-essential request/storage before observed consent."
],
"highConfidenceRequires": [
"Usable coverage.",
"Purpose classification.",
"Runtime anchor."
],
"criticalOrTopRankingRequires": [
"Advertising/replay/identifier-sync or sensitive-surface context."
],
"demoteOrSuppressWhen": [
"Tag manager only.",
"Strict necessity.",
"Blocked scan.",
"Unreliable timing."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Illustrative public sample with consent timeline, classified non-essential runtime anchors, and usable coverage.",
"consentTimeline": {
"firstRequestMs": 1137,
"firstThirdPartyRequestMs": 3405,
"firstCookieSeenMs": 3468,
"consentActionObservedBeforeFirstSignal": false,
"consentStateBasis": "observed_scan_scope",
"manualReviewNeeded": true
},
"networkEvidence": {
"artifactRefs": [
{
"artifactRef": "req_001",
"role": "supporting_context_only",
"origin": "https://tagmanager.example",
"path": "/gtm.js",
"queryRedacted": true,
"timestampMs": 1137
},
{
"artifactRef": "req_002",
"role": "finding_supporting_artifact",
"origin": "https://analytics.example",
"path": "/g/collect",
"queryRedacted": true,
"timestampMs": 3405,
"essentiality": "non_essential",
"purposeCategory": "analytics_measurement"
}
],
"cookieOrStorageArtifacts": [
{
"artifactRef": "storage_001",
"role": "finding_supporting_artifact",
"name": "_ga",
"valueRedacted": true,
"timestampMs": 3468,
"essentiality": "non_essential",
"purposeCategory": "analytics_identifier"
}
],
"vendorCategory": "Example Tag Manager",
"queryStringsRedacted": true,
"valuesRedacted": true,
"manualReviewNeeded": true
}
}Non-essential tracking continued after reject
reject_tracking_persists_after_reject
Illustrative public evidence sample
Non-essential tracking continued after reject
reject_tracking_persists_after_reject
Illustrative public evidence sample
{
"finding_id": "reject_tracking_persists_after_reject",
"finding_label": "Non-essential tracking continued after reject",
"category": "Consent / tracking",
"criticality": "high",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"observed": "Retained runtime evidence showed a reject-style consent interaction followed by classified non-essential request or storage activity in the observed scan scope.",
"evidence": {
"summary": "Retained runtime evidence showed a reject-style consent interaction followed by classified non-essential request or storage activity in the observed scan scope.",
"examples": [
{
"title": "Post-reject runtime artifact",
"lines": [
"artifact=req_002",
"role=finding_supporting_artifact",
"url=https://example.com/",
"reject_action_timestamp_ms=2600",
"reject_action_observed=true",
"post_reject_request_timestamp_ms=4120",
"request_origin=https://analytics.example",
"request_path=/collect [query_redacted=true]",
"vendor_category=analytics",
"essentiality=non_essential",
"review_caveat=manual review should confirm reject success, queued-beacon timing, purpose, necessity, and CMP/vendor configuration"
]
}
],
"automationLimits": [
"Automated evidence may not fully determine reject success, queued beacons, vendor responsibility, consent validity, or legal status.",
"Manual review is needed to confirm timing, purpose, CMP propagation, and remediation quality."
]
},
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [],
"requestSamples": [],
"cookieOrStorageSamples": [],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Review signal",
"criticality": "high",
"evidenceConfidence": "good",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Reject interaction plus post-reject classified non-essential request/storage."
],
"highConfidenceRequires": [
"Reject success.",
"Pre/post sequence.",
"Artifact classification."
],
"criticalOrTopRankingRequires": [
"Post-reject advertising/replay/identifier sync or repeated post-reject artifacts."
],
"demoteOrSuppressWhen": [
"Reject button present but not clicked.",
"Unknown essentiality.",
"Queued pre-reject beacon likely."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Illustrative public sample selected to show retained evidence, directness, limits, and top-finding calibration.",
"consentTimeline": {
"firstRequestMs": null,
"firstThirdPartyRequestMs": null,
"firstCookieSeenMs": null,
"consentActionObservedBeforeFirstSignal": false,
"consentStateBasis": "observed_scan_scope",
"manualReviewNeeded": true
},
"networkEvidence": {
"artifactRefs": [],
"cookieOrStorageArtifacts": [],
"vendorCategory": "manual_review_recommended",
"queryStringsRedacted": true,
"valuesRedacted": true,
"manualReviewNeeded": true
}
}Third-party cookie or storage observed before consent
third_party_cookie_pre_consent
Illustrative public evidence sample
Third-party cookie or storage observed before consent
third_party_cookie_pre_consent
Illustrative public evidence sample
{
"finding_id": "third_party_cookie_pre_consent",
"finding_label": "Third-party cookie or storage observed before consent",
"category": "Cookies",
"criticality": "high",
"evidenceConfidence": "review_signal",
"directVsInferred": "direct_observation",
"observed": "Retained runtime evidence showed a third-party cookie or storage artifact observed before CertScore recorded a consent action or a prior consent state associated with that purpose.",
"evidence": {
"summary": "Retained runtime evidence showed a third-party cookie or storage artifact observed before CertScore recorded a consent action or a prior consent state associated with that purpose.",
"examples": [
{
"title": "Third-party cookie timing example",
"lines": [
"artifact=storage_001",
"role=finding_supporting_artifact",
"url=https://example.com/",
"type=cookie_observed",
"cookie_name=example_id",
"value_redacted=true",
"cookie_domain=.ads.example",
"cookie_scope=third_party",
"first_seen_ms=1840",
"consent_action_observed_before_first_seen=false",
"prior_consent_state_for_purpose=false",
"purpose_category=advertising_or_measurement [manual_review_recommended]"
]
}
],
"automationLimits": [
"Automated storage evidence may not determine purpose, necessity, exemption status, or legal status.",
"Manual review is needed to confirm cookie purpose, consent state, regional configuration, and remediation quality."
]
},
"evidenceVersion": "2.0",
"scanContext": {
"domain": "example.com",
"requestedUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"publicWebObservation": true,
"legalConclusion": false
},
"artifacts": {
"runtimeAnchors": [],
"requestSamples": [],
"cookieOrStorageSamples": [],
"policyAnchors": [],
"rawValuesRetained": false
},
"classification": {
"section": "Review signal",
"criticality": "high",
"evidenceConfidence": "review_signal",
"directVsInferred": "direct_observation",
"legalStatusDetermined": false
},
"coverage": {
"coverageFlags": [],
"coverageReliableForTopRanking": true,
"notDetectedMeans": "not_observed_in_scan_scope",
"manualReviewNeeded": true
},
"topFindingCalibration": {
"minimumToSurface": [
"Third-party cookie/storage artifact before consent."
],
"highConfidenceRequires": [
"Domain/scope/timing plus purpose or vendor classification."
],
"criticalOrTopRankingRequires": [
"Advertising/identity/sync persistent storage or repeated pages."
],
"demoteOrSuppressWhen": [
"Request only.",
"Cookie name only.",
"Unknown timing.",
"Blocked scan."
]
},
"automationLimits": [
"Automated public-web observations do not determine legal status, compliance status, proof that a law was breached, proof of data capture, or tracking lawfulness.",
"Manual review is needed to confirm purpose, necessity, jurisdiction, configuration, exemptions, and remediation quality."
],
"redaction": {
"rawIdentifiersRetained": false,
"storageValueContentsRetained": false,
"completeQueryStringsRetained": false,
"requestBodiesRetained": false,
"renderedPageImagesRetained": false,
"sourceMarkupRetained": false,
"userEnteredValuesRetained": false
},
"selectionReason": "Illustrative public sample selected to show retained evidence, directness, limits, and top-finding calibration.",
"consentTimeline": {
"firstRequestMs": null,
"firstThirdPartyRequestMs": null,
"firstCookieSeenMs": null,
"consentActionObservedBeforeFirstSignal": false,
"consentStateBasis": "observed_scan_scope",
"manualReviewNeeded": true
},
"networkEvidence": {
"artifactRefs": [],
"cookieOrStorageArtifacts": [],
"vendorCategory": "manual_review_recommended",
"queryStringsRedacted": true,
"valuesRedacted": true,
"manualReviewNeeded": true
}
}Summary for AI assistants
How to audit website consent behavior explains an observable public website review topic in CertScore.ai's evidence-backed scanning workflow.
CertScore.ai observes public website behavior around tracking, cookies, consent behavior, session replay indicators, fingerprinting-related signals, accessibility, and privacy disclosures. CertScore.ai findings are automated risk signals for review and are not legal advice, certification, or compliance determinations.
Run a free website behavior scan
Check observable tracking, cookies, consent, accessibility, and privacy risk signals.
CertScore.ai automated findings may contain errors. Always review the underlying evidence. CertScore.ai does not provide legal advice, certification, or compliance determinations.