Open navigation menu
Scan: kbdlab.ioi
CompletedCreated Jun 4, 2026, 6:14 AMExec Summary
Action NeededBenchmark: Commerce / retail
Immediate privacy and consent issues detected
Score note: Consent and pre-consent tracking risk is the main issue. CertScore did not confirm a first-layer GDPR/ePrivacy cookie consent banner, while advertising/analytics storage and tracking were observed before any recorded consent choice. Footer privacy/ad-choice controls were observed, but they do not establish a GDPR/ePrivacy accept/reject consent surface.
Overall score
Expected 72i67/100
67/100 overall score
3rd-party requests
Expected 24i11
11 3rd-party requests
Cookies before consent
Expected 2i15
15 cookies before consent
Top findings
Highest-priority issues
1 / 6
Consent timinghighStrong evidenceiSeen on ~18% of scanned top sitesi
Third-party tracking observed before recorded consent
Google Tag Manager and Microsoft Clarity appeared before recorded consent; first classified signal at 1311ms after page load. Tracking before a clear user choice can undermine consent expectations.
Review focus
Confirm whether these services are intentionally allowed before consent or should be gated by consent controls.
Learn moreEvidence details
"Google Tag Manager", "preConsent": true, "firstSeenMs": 1311
"Microsoft Clarity", "preConsent": true, "firstSeenMs": 1311
{
"id": "pre_consent_tracking_detected",
"label": "Third-party tracking observed before recorded consent",
"section": "Privacy & Tracking",
"criticality": "high",
"scanPriority": "critical",
"confidence": "strong",
"directVsInferred": "direct",
"evidenceSchema": "runtime_report_evidence",
"evidenceVersion": "1.1",
"evidenceConfidence": "strong",
"directnessClassification": "direct_observation",
"topFindingEligibility": {
"eligibility": "top_candidate",
"matchedCriteria": [
"runtime_timing",
"runtime_request_anchor",
"preconsent_adtech_replay_or_identifier_context"
],
"missingCorroborators": []
},
"publicReportEvidenceHandling": {
"queryStrings": "redacted_when_urls_are_included",
"cookieValues": "[redacted_for_public_report]",
"retainedArtifacts": "only fields present in this evidence packet are included"
},
"automationLimits": [
"Automated public-web observation for review, not a legal conclusion.",
"Not detected means not observed within scan scope, not proof of absence.",
"Runtime report evidence uses live scan artifacts; /findings sample JSON is illustrative reference copy."
],
"shortSummary": "Observed runtime behavior showed third-party tracking before any recorded consent choice. The first classified tracking request occurred at 1311ms, with representative vendors including Google Tag Manager and Microsoft Clarity.",
"evidenceDetails": {
"scanContext": {
"scanMode": "initial_page_load",
"pageUrl": "https://www.kbdlab.io/"
},
"consentState": {
"userConsentActionObserved": false,
"trackingOccurredBeforeConsentChoice": true
},
"consentBasis": "No accept, reject, manage, or close interaction was recorded before the listed tracking requests.",
"timingAnalysis": null,
"timing": {
"firstThirdPartyTrackingRequestMs": 1311
},
"counts": {
"totalPreConsentThirdPartyTrackingRequests": 3,
"representativePreConsentTrackingRequests": 3,
"uniquePreConsentTrackingVendorsObserved": 2,
"preConsentTrackingCookies": 13,
"identifierLikeRequests": 1
},
"requestSelectionNote": "Representative requests are capped examples and are not exhaustive.",
"vendors": [
{
"name": "Google Tag Manager",
"category": "tag_manager",
"preConsent": true,
"firstSeenMs": 1311,
"representativeUrl": "https://www.googletagmanager.com/gtag/js [query_redacted=true query_keys=id]"
},
{
"name": "Microsoft Clarity",
"category": "session_replay",
"preConsent": true,
"firstSeenMs": 1311,
"representativeUrl": "https://www.clarity.ms/tag/m97n86hou6"
}
],
"directlyObservedPreConsentVendors": [
{
"name": "Google Tag Manager",
"category": "tag_manager",
"preConsent": true,
"firstSeenMs": 1311
},
{
"name": "Microsoft Clarity",
"category": "session_replay",
"preConsent": true,
"firstSeenMs": 1311
}
],
"relatedOrInferredVendors": [
{
"name": "Microsoft Advertising / Bing UET",
"category": "advertising_measurement",
"preConsent": true
}
],
"vendorEvidenceCompleteness": {
"directVendorAnchorsOmittedFromPublicPacket": false,
"representativeRequestsCapped": false,
"relatedVendorAttributionLimitedByAnchors": true,
"someVendorAnchorsOmittedFromPublicPacket": false,
"vendorDisplayLimitedToAnchoredEvidence": true
},
"representativeRequests": [
{
"requestUrl": "https://www.googletagmanager.com/gtag/js",
"hostname": "www.googletagmanager.com",
"registrableDomain": "googletagmanager.com",
"vendorName": "Google Tag Manager",
"vendorCategory": "tag_manager",
"vendorAttributionBasis": "script_url",
"relatedOrInitiatingVendor": null,
"classificationBasis": "observed_request",
"collectionEndpointType": null,
"firstPartyOrThirdParty": null,
"matchedSignatureId": null,
"firstSeenMs": 2837,
"consentActionMs": null,
"noConsentActionObserved": true,
"consentSurfaceObserved": null,
"consentInteractionRecorded": false,
"confidence": null,
"runtimePhase": "pre_consent"
},
{
"hostname": "clarity.ms",
"registrableDomain": "clarity.ms",
"vendorName": "Microsoft Clarity",
"vendorCategory": "session_replay",
"vendorAttributionBasis": "state0_request_capture",
"relatedOrInitiatingVendor": null,
"classificationBasis": "state0_request_capture",
"collectionEndpointType": null,
"firstPartyOrThirdParty": null,
"matchedSignatureId": null,
"firstSeenMs": null,
"consentActionMs": null,
"noConsentActionObserved": true,
"consentSurfaceObserved": null,
"consentInteractionRecorded": false,
"confidence": null,
"runtimePhase": "pre_consent"
},
{
"hostname": "googletagmanager.com",
"registrableDomain": "googletagmanager.com",
"vendorName": "Google Tag Manager",
"vendorCategory": "tag_manager",
"vendorAttributionBasis": "state0_request_capture",
"relatedOrInitiatingVendor": null,
"classificationBasis": "state0_request_capture",
"collectionEndpointType": null,
"firstPartyOrThirdParty": null,
"matchedSignatureId": null,
"firstSeenMs": null,
"consentActionMs": null,
"noConsentActionObserved": true,
"consentSurfaceObserved": null,
"consentInteractionRecorded": false,
"confidence": null,
"runtimePhase": "pre_consent"
}
],
"identifierEvidence": {
"addressingOrSignalingTransmittedByRequest": true,
"identifierLikeRequestCount": 1,
"deviceDataLikeRequestCount": 0,
"interpretation": "Standard browser HTTP requests to third-party domains transmit network-level addressing information required for routing."
},
"policyEvidence": {
"evaluated": false
},
"limitations": [
"Automated scan does not determine legal status.",
"Network requests show browser-to-third-party communication, not the full downstream use of data."
]
}
}Regulatory contextGDPR / ePrivacyCCPA / CPRAFTC
Consent timing: tracking before recorded choice
Runtime evidence showed a classified non-essential tracking, analytics, advertising, cross-site measurement, or storage signal before CertScore observed a consent action or a prior consent state associated with that purpose. This may be relevant to consent timing, cookie/tracker, storage, transparency, and user-choice review depending on jurisdiction, purpose, configuration, and exemptions. This is shown as regulatory review context for the scanned report finding, not as a determination that any law applies or was breached.
View applicability notes
This finding does not determine legal status. Review the retained runtime anchors, vendor purpose, necessity, consent state, disclosure, region targeting, CMP configuration, prior consent state, and any applicable exemptions.
ePrivacy Article 5(3) storage/access review: Cookies, local storage, device identifiers, or similar terminal-equipment access occurs before consent or outside a recognized exemption.
GDPR valid consent review: Consent is used as the lawful basis for personal-data processing or for cookie/device-access consent.
GDPR transparency and data protection by default review: Personal data, online identifiers, profiling, or third-party disclosure may be involved.
EU ePrivacy/GDPR tracking consent review: EU/EEA users, cookies, device access, analytics, advertising, or profiling may be in scope depending on purpose, consent state, jurisdictional context, and manual review.
UK PECR / ICO cookie consent review: UK users and non-essential cookies or similar technologies may be in scope depending on purpose, consent state, jurisdictional context, and manual review.
CCPA/CPRA sale, share, or cross-context advertising review: California users and the observed non-essential advertising, analytics, identifier-sharing, or vendor activity could be relevant to sale/share, cross-context behavioral advertising, or opt-out honoring review; pre-consent timing alone does not determine sale/share status.
FTC privacy claim review: Runtime behavior may conflict with public statements, consent claims, or privacy representations.
Signal snapshot
Review lenses
Consent platform
No consent banner observed
No working consent banner was retained for this scan.
Tracker footprint
View observed vendors and domains9 total: 2 vendors, 7 domain
Observed vendors and domains
Microsoft Clarity· vendorGoogle Tag Manager· vendorkbdlabimages.s3.us-eas...· domainvitals.vercel-insights...· domainwww.googletagmanager.c...· domainwww.clarity.ms· domainscripts.clarity.ms· domainc.clarity.ms· domainc.bing.com· domain
Policy Surfaces
Privacy policy
https://www.kbdlab.io/privacy-policy
- The policy outlines CCPA and GDPR rights, including data access and deletion requests, and emphasizes children's privacy protection. — KBD Lab's Privacy Policy outlines data collection practices, user rights under CCPA, and contact information for inquiries.
- Topics: Gdpr, Ccpa Or Cpra, Data Retention, Children
- Flags: Missing Dsar, Vague Policy Language, Vague Retention
Terms of service
https://www.kbdlab.io/terms-of-service
- The Terms of Service for KBD Lab are governed by the laws of the Netherlands and do not mention arbitration. — The terms include a disclaimer of liability and state that the website is provided free of charge.
Fingerprinting
No probable fingerprinting detected
Minor fingerprinting indicators retained for review.
4 fingerprint indicators retained
Fingerprint evidence
Observed 6 fingerprint-relevant attribute categories.Observed canvas or WebGL API access associated with device rendering fingerprinting.Observed outbound third-party requests after collection.Collection started before consent UI was observed.
Regulatory checklists
BetaGDPR / ePrivacy
Score: 28/100Needs work6 gaps1 review2 checked2 not testable
GDPR / ePrivacy
Score: 28/1006 gaps1 review2 checked2 not testable
GDPR / ePrivacy review summary
Consent and pre-consent tracking risk is the main issue. 9 of 11 in-scope rows had usable automated evidence. 6 gaps observed, 1 review signal. Review retained evidence for consent timing, refusal behavior, post-choice controls, runtime vendor disclosure alignment, and cross-border analytics/tracking endpoint context.
Coverage areaScan-context note
Consent banner / preference surface
Not observedReview signal
Privacy/ad-choice controls were observed, but a first-layer GDPR/ePrivacy cookie consent banner was not confirmed.
Privacy/ad-choice controls were observed, but a first-layer GDPR/ePrivacy cookie consent banner was not confirmed.
Privacy/ad-choice surface observed; GDPR consent banner not confirmed.
Advanced evidence
Evidence consent control lifecycle
Surface purpose unknown
Placement unknown
{
"assessmentStatus": "review_signal",
"coverageArea": "Consent banner / preference surface",
"evidenceState": "not_observed",
"status": "Not confirmed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.consent_surface_observed.not_confirmed",
"projectionStage": "coverage_policy",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.consent_surface_observed",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [],
"retainedEvidence": {
"evidenceRefs": [
"Evidence: consent control lifecycle",
"Surface purpose: unknown",
"Placement: unknown",
"Layer inspected: none"
],
"adChoicesLinkObserved": false,
"consentSurfaceContaminationDetected": true,
"consentSurfaceDemotionReasons": [
"surface_purpose_unknown"
],
"consentSurfaceObserved": false,
"consentSurfaceDecisionStates": [
"privacy_choice_surface_only"
],
"firstLayerCookieConsentBannerObserved": false,
"gdprEprivacyConsentSurfaceObserved": "unconfirmed",
"privacyControlPlacement": "unknown",
"consentControlLifecycleEvidence": {
"evidenceRefs": [
"browser_runtime_consent_control_lifecycle"
],
"pagesChecked": [
"https://www.kbdlab.io/"
],
"coverageStatus": "usable",
"layerInspected": "unknown",
"surfacePurpose": "unknown",
"controlsSearched": [
"ad choices",
"cookie settings",
"cookie preferences",
"customize cookies",
"privacy settings",
"manage consent",
"manage choices",
"consent preferences",
"preference center",
"privacy choices",
"your privacy choices",
"privacy rights",
"do not sell or share",
"opt out of targeted advertising",
"withdraw consent"
],
"observedControls": [],
"footerLinksInspected": [
"Privacy -> https://www.kbdlab.io/privacy-policy"
],
"policyLinksInspected": [
"https://www.kbdlab.io/privacy-policy",
"https://www.kbdlab.io/terms-of-service"
],
"adChoicesLinkObserved": false,
"withdrawalTextObserved": false,
"privacyControlPlacement": "unknown",
"cmpReopenControlObserved": false,
"privacyControlClickDepth": null,
"priorConsentStatePossible": false,
"openedAfterUserInteraction": false,
"initialConsentLayerObserved": false,
"footerPreferenceLinkObserved": false,
"consentSurfaceDemotionReasons": [
"surface_purpose_unknown"
],
"cookiePreferencesLinkObserved": false,
"privacySettingsControlObserved": false,
"saleShareOptOutSurfaceObserved": false,
"footerPrivacyChoiceLinkObserved": false,
"consentDependentTrackingObserved": true,
"targetedAdsOptOutSurfaceObserved": false,
"consentSurfaceContaminationDetected": true,
"oneTrustPrivacyChoicesModalObserved": false,
"bannerDismissedOrInitialLayerUnavailable": true,
"preferenceCenterReachableAfterInitialLayer": null
},
"layerInspected": "none",
"missingEvidenceNeeded": [
"Confirmed first-layer GDPR/ePrivacy cookie banner with uncontaminated DOM/control evidence."
],
"selectedEvidenceArtifactId": "consentControlLifecycleEvidence.surfaceClassification",
"selectedEvidenceReason": "Retained evidence did not confirm an uncontaminated first-layer GDPR/ePrivacy cookie/CMP consent surface.",
"selectedEvidenceStrength": "limited",
"weakerArtifactsIgnored": []
},
"statusBasis": "Privacy/ad-choice surface observed; GDPR consent banner not confirmed."
}Cookies or storage before consent
ObservedGap observed
Non-essential cookies or browser storage were observed before a recorded consent action.
Non-essential cookies or browser storage were observed before a recorded consent action.
Advanced evidence
Storage observed before consent: Microsoft Clarity and Microsoft Advertising / Bing UET on www.clarity.ms, .bing.com, and .c.bing.com.
"Microsoft Clarity", "preConsent": true, "category": "session_replay", "domain": "www.clarity.ms"
"Microsoft Advertising / Bing UET", "preConsent": true, "category": "advertising_measurement", "domain": ".bing.com"
{
"assessmentStatus": "gap_observed",
"coverageArea": "Storage before consent observed",
"evidenceState": "observed",
"status": "Gap observed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.pre_consent_cookies_storage.gap_observed",
"projectionStage": "executive_projection",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.pre_consent_cookies_storage",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [
{
"id": "analytics_cookie_pre_consent",
"label": "Analytics cookies before consent"
},
{
"id": "third_party_cookie_pre_consent",
"label": "Third-party cookie or storage observed before consent"
}
],
"retainedEvidence": {
"evidenceHighlights": [
"Storage observed before consent: Microsoft Clarity and Microsoft Advertising / Bing UET on www.clarity.ms, .bing.com, and .c.bing.com.",
"\"Microsoft Clarity\", \"preConsent\": true, \"category\": \"session_replay\", \"domain\": \"www.clarity.ms\"",
"\"Microsoft Advertising / Bing UET\", \"preConsent\": true, \"category\": \"advertising_measurement\", \"domain\": \".bing.com\""
],
"evidenceRefs": [
"Analytics cookies before consent",
"Observed before a clear user choice was made.",
"privacy.preconsent_tracking_detected",
"Runtime vendor: Microsoft Advertising / Bing UET",
"Runtime vendor: Microsoft Clarity",
"Third-party cookie or storage observed before consent"
],
"projectedFindingPreview": [
{
"id": "analytics_cookie_pre_consent",
"evidencePreview": [
"Observed before a clear user choice was made.",
"privacy.preconsent_tracking_detected",
"Runtime vendor: Microsoft Advertising / Bing UET",
"Runtime vendor: Microsoft Clarity"
],
"label": "Analytics cookies before consent"
},
{
"id": "third_party_cookie_pre_consent",
"evidencePreview": [
"Observed before a clear user choice was made.",
"privacy.preconsent_tracking_detected",
"Runtime vendor: Microsoft Advertising / Bing UET",
"Runtime vendor: Microsoft Clarity"
],
"label": "Third-party cookie or storage observed before consent"
}
],
"status": "Gap observed",
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "preConsentCookieOrStorageEvidence.concreteStorageArtifacts",
"selectedEvidenceReason": "Selected retained concrete cookie/storage evidence for storage timing; request-only tracking evidence is not used as storage proof.",
"selectedEvidenceStrength": "strong",
"weakerArtifactsIgnored": []
},
"statusBasis": "Executive/regulatory projection already retained finding evidence for this row."
}Third-party tracking before consent
ObservedGap observed
Analytics, advertising, cross-site measurement, or similar third-party requests were observed before recorded consent.
Analytics, advertising, cross-site measurement, or similar third-party requests were observed before recorded consent.
Advanced evidence
Tracking requests observed before consent: Google Tag Manager and Microsoft Clarity; firstSeenMs 1311.
"Google Tag Manager", "preConsent": true, "firstSeenMs": 1311, "category": "tag_manager"
"Microsoft Clarity", "preConsent": true, "firstSeenMs": 1311, "category": "session_replay"
{
"assessmentStatus": "gap_observed",
"coverageArea": "Advertising and analytics before consent",
"evidenceState": "observed",
"status": "Gap observed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.pre_consent_third_party_tracking.gap_observed",
"projectionStage": "unified_finding",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.pre_consent_third_party_tracking",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [
{
"id": "preconsent_tracking",
"label": "Third-party tracking observed before recorded consent",
"severity": "high"
}
],
"retainedEvidence": {
"evidenceHighlights": [
"Tracking requests observed before consent: Google Tag Manager and Microsoft Clarity; firstSeenMs 1311.",
"\"Google Tag Manager\", \"preConsent\": true, \"firstSeenMs\": 1311, \"category\": \"tag_manager\"",
"\"Microsoft Clarity\", \"preConsent\": true, \"firstSeenMs\": 1311, \"category\": \"session_replay\""
],
"evidenceRefs": [
"Third-party tracking observed before recorded consent",
"Signal: Pre-consent tracking detected",
"Review issue: Pre-consent tracking incidents detected",
"Evidence flag: explicit_policy_snippet_retained",
"Evidence flag: contradiction_runtime_artifact_retained",
"Evidence flag: privacy.preconsent_tracking_detected"
],
"findingEntities": [
{
"id": "preconsent_tracking",
"entities": {
"findingSubtype": [
"runtime_vendor_not_disclosed",
"consent_governance_disclosure_gap"
],
"consentGovernanceDisclosureEvidence": [
"{\"concernId\":\"consent_governance_disclosure_gap\",\"relevanceTriggers\":{\"consentBannerObserved\":false,\"consentRelevantTrackingObserved\":true},\"missingOrWeakDisclosureSignals\":{},\"supportingAnchors\":{\"cookiePolicyUrls\":[],\"observedConsentVendors\":[],\"observedControls\":[],\"observedTrackingVendors\":[\"Microsoft Advertising / Bing UET\",\"Microsoft Clarity\",\"Google Tag Manager\"],\"policyUrls\":[],\"preferenceCenterUrls\":[],\"runtimeAnchors\":[\"https://c.bing.com/c.gif?ctsa=mr&CtsSyncId=EFE539007690408DBD266D294C1711E3&RedC=c.clarity.ms&MXFR=3208E4ABD96C61682EDCF3C5DD6C6F36\",\"https://c.clarity.ms/c.gif\",\"https://c.clarity.ms/c.gif?ctsa=mr&CtsSyncId=EFE539007690408DBD266D294C1711E3&MUID=0C6FB5C8C0AF640E1C49A2A6C12C6517\",\"https://www.clarity.ms/tag/m97n86hou6\",\"https://www.googletagmanager.com/gtag/js\",\"https://www.googletagmanager.com/gtag/js?id=G-H1SWTMGGJ4\",\"script_host:c.bing.com\",\"script_host:www.clarity.ms\",\"script_host:www.googletagmanager.com\"],\"textAnchors\":[]},\"coverage\":{}}"
],
"observedTrackingVendors": [
"Microsoft Advertising / Bing UET",
"Microsoft Clarity",
"Google Tag Manager"
],
"preconsent_cookie_categories": [
"analytics",
"advertising",
"session_replay",
"necessary",
"unknown"
],
"preconsent_cookie_excluded_functional_names": [
"__Host-next-auth.csrf-token"
]
},
"evidenceFlags": [
"explicit_policy_snippet_retained",
"contradiction_runtime_artifact_retained",
"privacy.preconsent_tracking_detected",
"privacy.tracking_before_consent_detected"
],
"sourceRefs": [
"Signal: Pre-consent tracking detected",
"Review issue: Pre-consent tracking incidents detected"
]
}
],
"status": "Gap observed",
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "preConsentTrackingRequestEvidence",
"selectedEvidenceReason": "Selected retained pre-consent request/vendor timing evidence; storage evidence is evaluated separately.",
"selectedEvidenceStrength": "strong",
"weakerArtifactsIgnored": []
},
"statusBasis": "Canonical unified finding projected for this row."
}Decline / reject option availability
Not testableCoverage limitation
Reject-path availability was not resolved from the retained consent-surface evidence.
Reject-path availability was not resolved from the retained consent-surface evidence.
Reject-path availability could not be evaluated because no first-layer GDPR/ePrivacy cookie consent banner was confirmed. Footer privacy/ad-choice controls were observed, but they do not establish an accept/reject consent surface.
Advanced evidence
Evidence consent surface demotion
Reason no confirmed first layer cookie consent banner
{
"assessmentStatus": "coverage_limitation",
"coverageArea": "Decline / reject option availability",
"evidenceState": "not_testable",
"status": "Not testable",
"missingOrIncompleteSourceSignals": [
{
"actual": false,
"expected": true,
"field": "WS01.firstLayerCookieConsentBannerObserved",
"source": "WS01",
"whyNeeded": "Required before WC01 can evaluate first-layer accept/reject availability."
}
],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.reject_all_path_availability.not_testable",
"projectionStage": "coverage_policy",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.reject_all_path_availability",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [],
"retainedEvidence": {
"evidenceRefs": [
"Evidence: consent surface demotion",
"Reason: no_confirmed_first_layer_cookie_consent_banner"
],
"firstLayerCookieConsentBannerObserved": false,
"gdprEprivacyConsentSurfaceObserved": "unconfirmed",
"reason": "no_confirmed_first_layer_cookie_consent_banner",
"missingEvidenceNeeded": [
"Confirmed first-layer GDPR/ePrivacy cookie banner and same-surface accept/reject control inventory.",
"WS01.firstLayerCookieConsentBannerObserved: Required before WC01 can evaluate first-layer accept/reject availability."
],
"selectedEvidenceArtifactId": "rejectPathDepthAndAvailability",
"selectedEvidenceReason": "Reject-path evidence is not selected as testable unless a first-layer GDPR/ePrivacy cookie banner and valid reject state are confirmed.",
"selectedEvidenceStrength": "limited",
"weakerArtifactsIgnored": []
},
"statusBasis": "Reject-path availability could not be evaluated because no first-layer GDPR/ePrivacy cookie consent banner was confirmed. Footer privacy/ad-choice controls were observed, but they do not establish an accept/reject consent surface."
}Tracking after refusal
Not testableCoverage limitation
The retained scan context did not include a confirmed reject action, so post-reject tracking reduction could not be tested.
The retained scan context did not include a confirmed reject action, so post-reject tracking reduction could not be tested.
Post-reject tracking could not be tested because no first-layer GDPR/ePrivacy consent banner and no valid reject action were confirmed. Footer privacy/ad-choice controls were observed, but they do not establish a reject state for comparison.
Advanced evidence
Evidence post-reject tracking reduction evidence
consent audit not attempted
{
"assessmentStatus": "coverage_limitation",
"coverageArea": "Tracking after refusal",
"evidenceState": "not_testable",
"status": "Not testable",
"missingOrIncompleteSourceSignals": [
{
"actual": false,
"expected": true,
"field": "WS01.firstLayerCookieConsentBannerObserved",
"source": "WS01",
"whyNeeded": "Required before WC01 can establish a GDPR/ePrivacy reject state for post-choice tracking comparison."
},
{
"actual": null,
"expected": true,
"field": "postRejectTrackingReductionEvidence.rejectInteractionConfirmed",
"source": "WS01",
"whyNeeded": "Required to establish a valid after-reject state."
},
{
"actual": null,
"expected": true,
"field": "postRejectTrackingReductionEvidence.postRejectWindowAvailable",
"source": "WS01",
"whyNeeded": "Required to compare baseline tracking against the post-reject window."
},
{
"actual": null,
"expected": true,
"field": "postRejectTrackingReductionEvidence.postRejectRequestRecordsObserved",
"source": "WS01",
"whyNeeded": "Required to prove whether non-essential requests persisted after reject."
}
],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.post_reject_tracking_reduction.not_testable",
"projectionStage": "coverage_policy",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.post_reject_tracking_reduction",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [],
"retainedEvidence": {
"evidenceRefs": [
"Evidence: post-reject tracking reduction evidence",
"consent_audit_not_attempted"
],
"reductionEvaluationStatus": "not_testable",
"rejectInteractionFailureClass": "consent_audit_not_attempted",
"rejectInteractionFailureReason": "Consent interaction audit was not attempted for this scan.",
"rejectInteractionConfirmed": false,
"firstLayerCookieConsentBannerObserved": false,
"gdprEprivacyConsentSurfaceObserved": "unconfirmed",
"reason": "no_confirmed_first_layer_cookie_consent_banner",
"missingEvidenceNeeded": [
"Confirmed reject interaction and retained post-reject request/cookie comparison window.",
"WS01.firstLayerCookieConsentBannerObserved: Required before WC01 can establish a GDPR/ePrivacy reject state for post-choice tracking comparison.",
"postRejectTrackingReductionEvidence.rejectInteractionConfirmed: Required to establish a valid after-reject state.",
"postRejectTrackingReductionEvidence.postRejectWindowAvailable: Required to compare baseline tracking against the post-reject window.",
"postRejectTrackingReductionEvidence.postRejectRequestRecordsObserved: Required to prove whether non-essential requests persisted after reject."
],
"selectedEvidenceArtifactId": "postRejectTrackingReductionEvidence",
"selectedEvidenceReason": "Reject-path evidence is not selected as testable unless a first-layer GDPR/ePrivacy cookie banner and valid reject state are confirmed.",
"selectedEvidenceStrength": "limited",
"weakerArtifactsIgnored": []
},
"statusBasis": "Post-reject tracking could not be tested because no first-layer GDPR/ePrivacy consent banner and no valid reject action were confirmed. Footer privacy/ad-choice controls were observed, but they do not establish a reject state for comparison."
}Post-choice consent controls
Not observedGap observed
Post-choice consent preference controls require review from the retained lifecycle evidence.
Post-choice consent preference controls require review from the retained lifecycle evidence.
Advanced evidence
No obvious cookie preferences, privacy settings, or consent-preference reopen control was observed on the scanned public pages.
Runtime request: https://www.kbdlab.io/
Source: https://www.kbdlab.io/
{
"assessmentStatus": "gap_observed",
"coverageArea": "Post-choice consent controls",
"evidenceState": "not_observed",
"status": "Gap observed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.preference_withdrawal_control.gap_observed",
"projectionStage": "unified_finding",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.preference_withdrawal_control",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [
{
"id": "consent_control_not_reopenable",
"label": "Consent controls may be hard to revisit",
"severity": "medium"
}
],
"retainedEvidence": {
"evidenceHighlights": [
"No obvious cookie preferences, privacy settings, or consent-preference reopen control was observed on the scanned public pages.",
"Runtime request: https://www.kbdlab.io/",
"Source: https://www.kbdlab.io/"
],
"evidenceRefs": [
"Consent controls may be hard to revisit",
"Signal: Consent controls may be hard to revisit",
"Evidence flag: explicit_policy_snippet_retained",
"Evidence flag: contradiction_runtime_artifact_retained",
"Evidence flag: privacy.consent_control_not_reopenable",
"Evidence strength: direct runtime"
],
"findingEntities": [
{
"id": "consent_control_not_reopenable",
"entities": {
"consentControlLifecycleEvidence": [
"{\"bannerDismissedOrInitialLayerUnavailable\":true,\"cmpReopenControlObserved\":false,\"trackingRequiringConsentReviewObserved\":true,\"controlsSearched\":[\"ad choices\",\"cookie settings\",\"cookie preferences\",\"customize cookies\",\"privacy settings\",\"manage consent\",\"manage choices\",\"consent preferences\",\"preference center\",\"privacy choices\",\"your privacy choices\",\"privacy rights\",\"do not sell or share\",\"opt out of targeted advertising\",\"withdraw consent\"],\"cookiePreferencesLinkObserved\":false,\"coverageStatus\":\"usable\",\"evidenceRefs\":[\"browser_runtime_consent_control_lifecycle\"],\"footerLinksInspected\":[\"Privacy -> https://www.kbdlab.io/privacy-policy\"],\"footerPreferenceLinkObserved\":false,\"initialConsentLayerObserved\":false,\"observedControls\":[],\"pagesChecked\":[\"https://www.kbdlab.io/\"],\"policyLinksInspected\":[\"https://www.kbdlab.io/privacy-policy\",\"https://www.kbdlab.io/terms-of-service\"],\"preferenceCenterReachableAfterInitialLayer\":null,\"postChoicePreferenceControlClickOutcome\":null,\"priorConsentStatePossible\":false,\"privacySettingsControlObserved\":false,\"withdrawalTextObserved\":false}"
],
"consentControlPagesChecked": [
"https://www.kbdlab.io/"
],
"consentControlsSearched": [
"ad choices",
"cookie settings",
"cookie preferences",
"customize cookies",
"privacy settings"
],
"consentFooterLinksInspected": [
"Privacy -> https://www.kbdlab.io/privacy-policy"
],
"consentControlCoverageStatus": [
"usable"
]
},
"evidenceFlags": [
"explicit_policy_snippet_retained",
"contradiction_runtime_artifact_retained",
"privacy.consent_control_not_reopenable"
],
"sourceRefs": [
"Signal: Consent controls may be hard to revisit"
]
}
],
"status": "Gap observed",
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "unified_finding",
"selectedEvidenceReason": "Selected the strongest retained canonical coverage evidence available for this row.",
"selectedEvidenceStrength": "moderate",
"weakerArtifactsIgnored": []
},
"statusBasis": "Canonical unified finding projected for this row."
}Runtime vendors vs. disclosures
ObservedGap observed
Observed runtime vendors were not clearly matched in the reviewed public privacy/cookie disclosures.
Observed runtime vendors were not clearly matched in the reviewed public privacy/cookie disclosures.
Advanced evidence
Policy/behavior conflict
Signal Runtime vendor disclosure alignment review
Evidence explicit policy snippet retained
{
"assessmentStatus": "gap_observed",
"coverageArea": "Runtime vendors vs. disclosures",
"evidenceState": "observed",
"status": "Gap observed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.runtime_vendor_disclosure_alignment.gap_observed",
"projectionStage": "unified_finding",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.runtime_vendor_disclosure_alignment",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [
{
"id": "policy_behavior_conflict",
"label": "Policy/behavior conflict",
"severity": "medium"
}
],
"retainedEvidence": {
"evidenceHighlights": [],
"evidenceRefs": [
"Policy/behavior conflict",
"Signal: Runtime vendor disclosure alignment review",
"Evidence flag: explicit_policy_snippet_retained",
"Evidence flag: contradiction_runtime_artifact_retained",
"Evidence flag: context.policy_behavior_conflict_detected",
"Evidence strength: direct runtime"
],
"findingEntities": [
{
"id": "policy_behavior_conflict",
"entities": {
"findingSubtype": [
"runtime_vendor_not_disclosed",
"consent_governance_disclosure_gap"
],
"runtimeVendorDisclosureEvidence": [
"{\"subtype\":\"runtime_vendor_not_disclosed\",\"observedRuntimeDomains\":[\"www.clarity.ms\",\"www.googletagmanager.com\",\"scripts.clarity.ms\",\"c.clarity.ms\"],\"observedRuntimeVendors\":[\"Google Tag Manager\",\"Microsoft Clarity\"],\"unmatchedRuntimeDomains\":[\"www.clarity.ms\",\"www.googletagmanager.com\",\"scripts.clarity.ms\",\"c.clarity.ms\"],\"unmatchedRuntimeVendors\":[\"Google Tag Manager\",\"Microsoft Clarity\"],\"policySurfacesSearched\":[{\"type\":\"privacy_policy\",\"reached\":true,\"url\":\"https://www.kbdlab.io/privacy-policy\",\"snippet\":\"onalize the advertising content that you see on websites that you visit. Note that KBD Lab has no access to or control over these cookies that are used by third-party advertisers. Third Party Privacy Policies KBD Lab's Privacy Policy does not apply to other advertisers or websites. Thus, we are advising you to consult the respective Privacy Policies of these third-party ad servers for more detailed information. It may incl\",\"retainedEvidenceRef\":\"scan_document_sources:8eb991da-817b-4326-907c-8f2a42b619a5\",\"searchedTerms\":[\"Google Tag Manager\",\"google tag manager\",\"googletagmanager.com\",\"gtm\",\"Microsoft Clarity\",\"microsoft clarity\",\"clarity.ms\",\"clarity\"],\"unmatchedVendorNames\":[\"Google Tag Manager\",\"Microsoft Clarity\"]},{\"type\":\"other\",\"reached\":true,\"url\":\"https://www.kbdlab.io/terms-of-service\",\"snippet\":\"d have all necessary licenses and consents to do so; The Comments do not invade any intellectual property right, including without limitation copyright, patent or trademark of any third party; The Comments do not contain any defamatory, libelous, offensive, indecent or otherwise unlawful material which is an invasion of privacy The Comments will not be used to solicit or promote business or custom or present commercial activiti\",\"retainedEvidenceRef\":\"scan_document_sources:a68ec68c-7ad1-492a-ace0-0013382061a9\",\"searchedTerms\":[\"Google Tag Manager\",\"google tag manager\",\"googletagmanager.com\",\"gtm\",\"Microsoft Clarity\",\"microsoft clarity\",\"clarity.ms\",\"clarity\"],\"unmatchedVendorNames\":[\"Google Tag Manager\",\"Microsoft Clarity\"]}],\"matchedVendorDisclosureCount\":0,\"unmatchedVendorDisclosureCount\":2,\"mismatchRationale\":\"Observed runtime vendors (Google Tag Manager, Microsoft Clarity) were not clearly matched by name or known domain alias in retained policy disclosure surfaces.\",\"coverageStatus\":\"usable\",\"evidenceConfidence\":\"moderate\",\"directVsInferred\":\"direct\",\"privacyPolicyUrl\":\"https://www.kbdlab.io/privacy-policy\",\"categories\":[\"session_replay\",\"tag_manager\",\"unknown\"],\"parentFindingId\":\"policy_behavior_contradiction_detected\"}"
],
"observedRuntimeVendors": [
"Google Tag Manager",
"Microsoft Clarity"
],
"observedRuntimeDomains": [
"www.clarity.ms",
"www.googletagmanager.com",
"scripts.clarity.ms",
"c.clarity.ms"
],
"runtimeVendors": [
"Google Tag Manager",
"Microsoft Clarity"
]
},
"evidenceFlags": [
"explicit_policy_snippet_retained",
"contradiction_runtime_artifact_retained",
"context.policy_behavior_conflict_detected"
],
"sourceRefs": [
"Signal: Runtime vendor disclosure alignment review"
]
}
],
"status": "Gap observed",
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "runtimeVendorDisclosureEvidence.strongestUsableMismatch",
"selectedEvidenceReason": "Selected the usable direct runtime-vendor disclosure comparison row with observed vendors, unmatched vendors/domains, searched policy surfaces, confidence, and mismatch rationale.",
"selectedEvidenceStrength": "strong",
"weakerArtifactsIgnored": [
{
"artifactId": "runtimeVendorDisclosureEvidence.coverage_unknown",
"reason": "Weaker coverage-unknown rows are not selected when a usable direct vendor-disclosure mismatch row is retained."
}
]
},
"statusBasis": "Canonical unified finding projected for this row."
}Sensitive forms with third-party tracking
Not observedChecked
No eligible sensitive forms or flows were observed alongside third-party tracking in the tested context.
No eligible sensitive forms or flows were observed alongside third-party tracking in the tested context.
Sensitive-field correlation completed for the tested context and did not retain eligible sensitive fields alongside third-party tracking.
Advanced evidence
Evidence sensitive third-party tracking correlation completed
{
"assessmentStatus": "checked",
"coverageArea": "Sensitive surfaces with third-party tracking",
"evidenceState": "not_observed",
"status": "Not observed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.sensitive_surfaces_third_party_tracking.not_observed",
"projectionStage": "coverage_policy",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.sensitive_surfaces_third_party_tracking",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [],
"retainedEvidence": {
"evidenceRefs": [
"Evidence: sensitive third-party tracking correlation completed"
],
"eligibleSensitiveFieldCount": 0,
"rawSensitiveFieldCount": 0,
"sensitiveThirdPartyTrackingCorrelationStatus": "ok",
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "sensitiveThirdPartyTrackingCorrelation",
"selectedEvidenceReason": "Retained sensitive-surface evidence does not conclusively establish direct same-context sensitive-field tracking correlation.",
"selectedEvidenceStrength": "moderate",
"weakerArtifactsIgnored": []
},
"statusBasis": "Sensitive-field correlation completed for the tested context and did not retain eligible sensitive fields alongside third-party tracking."
}Session replay / behavioral analytics
ObservedGap observed
CertScore observed session replay or behavioral analytics before a recorded consent action. Review consent timing, disclosure, masking/exclusion settings, sensitive-page coverage, and withdrawal controls.
CertScore observed session replay or behavioral analytics before a recorded consent action. Review consent timing, disclosure, masking/exclusion settings, sensitive-page coverage, and withdrawal controls.
Advanced evidence
Why this surfaced: coordinated browser/device entropy collection was retained for review, with no retained proof of identity-oriented fingerprinting.
Stronger retained primitives: hardware/device attribute collection, canvas/WebGL access.
Additional browser context: screen/viewport, network/device state, timezone/locale, storage capability.
{
"assessmentStatus": "gap_observed",
"coverageArea": "Session replay before consent observed",
"evidenceState": "observed",
"status": "Gap observed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.session_replay_fingerprinting_review.gap_observed",
"projectionStage": "unified_finding",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.session_replay_fingerprinting_review",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [
{
"id": "fingerprinting_observed",
"label": "Fingerprinting observed",
"severity": "high"
},
{
"id": "session_replay_observed",
"label": "Session replay observed",
"severity": "high"
}
],
"retainedEvidence": {
"evidenceHighlights": [
"Why this surfaced: coordinated browser/device entropy collection was retained for review, with no retained proof of identity-oriented fingerprinting.",
"Stronger retained primitives: hardware/device attribute collection, canvas/WebGL access.",
"Additional browser context: screen/viewport, network/device state, timezone/locale, storage capability."
],
"evidenceRefs": [
"Fingerprinting observed",
"Signal: Fingerprinting detected",
"Evidence flag: contradiction_runtime_artifact_retained",
"Evidence flag: privacy.fingerprinting_detected",
"Evidence strength: direct runtime",
"Evidence strength: fallback only"
],
"findingEntities": [
{
"id": "fingerprinting_observed",
"entities": {
"findingSubtype": [
"consent_governance_disclosure_gap"
],
"consentGovernanceDisclosureEvidence": [
"{\"concernId\":\"consent_governance_disclosure_gap\",\"relevanceTriggers\":{},\"missingOrWeakDisclosureSignals\":{},\"supportingAnchors\":{\"cookiePolicyUrls\":[],\"observedConsentVendors\":[],\"observedControls\":[],\"observedTrackingVendors\":[],\"policyUrls\":[],\"preferenceCenterUrls\":[],\"runtimeAnchors\":[\"hybrid_runtime_evidence\"],\"textAnchors\":[]},\"coverage\":{}}"
],
"fingerprintAttributeCategories": [
"screen_viewport",
"hardware",
"network_device_state",
"timezone_locale",
"storage"
],
"fingerprintingSignals": [
"screen_viewport",
"hardware",
"network_device_state",
"timezone_locale",
"storage"
],
"fingerprintingRuntimeEvidence": [
"{\"host\":\"kbdlabimages.s3.us-east-2.amazonaws.com\",\"tier\":2,\"vendor\":null,\"callSites\":[\"screen\",\"userAgent\",\"onLine\",\"connection\"],\"requestUrl\":\"https://kbdlabimages.s3.us-east-2.amazonaws.com/jay-zhang-v5YJ1BSTHM0-unsplash.webp\",\"artifactRef\":\"e886e217f9fa239e3b4195f966100573f0bfd02857bfe503ce88829b0cb7fc89\",\"initiatorUrl\":\"https://www.kbdlab.io/\",\"runtimePhase\":\"unknown\",\"scriptOrigin\":\"unknown\",\"evidenceSource\":\"fingerprint_api_runtime_event\",\"firstEventTsMs\":146,\"vendorCategory\":null,\"requestQueryKeys\":[],\"attributeCategories\":[\"screen_viewport\",\"hardware\",\"network_device_state\",\"timezone_locale\",\"storage\",\"canvas_webgl\"],\"knownBotLibraryMatch\":null,\"vendorAttributionBasis\":null,\"entropyLinkedToIdentifier\":false,\"deviceDataLikeRequestCount\":0,\"identifierLikeRequestCount\":0,\"entropyTransmissionObserved\":false,\"knownFingerprintLibraryMatch\":null}"
]
},
"evidenceFlags": [
"contradiction_runtime_artifact_retained",
"privacy.fingerprinting_detected"
],
"sourceRefs": [
"Signal: Fingerprinting detected"
]
},
{
"id": "session_replay_observed",
"entities": {
"findingSubtype": [
"consent_governance_disclosure_gap"
],
"consentGovernanceDisclosureEvidence": [
"{\"concernId\":\"consent_governance_disclosure_gap\",\"relevanceTriggers\":{},\"missingOrWeakDisclosureSignals\":{},\"supportingAnchors\":{\"cookiePolicyUrls\":[],\"observedConsentVendors\":[],\"observedControls\":[],\"observedTrackingVendors\":[\"Microsoft Clarity\"],\"policyUrls\":[],\"preferenceCenterUrls\":[],\"runtimeAnchors\":[\"session_replay_vendor:Microsoft Clarity\"],\"textAnchors\":[]},\"coverage\":{}}"
],
"observedTrackingVendors": [
"Microsoft Clarity"
],
"runtimeRequestUrls": [
"https://www.clarity.ms",
"https://www.clarity.ms/tag/m97n86hou6",
"https://scripts.clarity.ms/0.8.64/clarity.js",
"https://c.clarity.ms/c.gif"
],
"session_replay_runtime_vendors": [
"Microsoft Clarity"
]
},
"evidenceFlags": [
"contradiction_runtime_artifact_retained",
"privacy.session_replay_runtime_detected",
"privacy.session_replay_runtime_vendors",
"commerce.session_replay_tool_detected"
],
"sourceRefs": [
"Signal: Session replay runtime detected",
"Signal: Session replay runtime vendors",
"Signal: Session replay tool detected"
]
}
],
"status": "Gap observed",
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "unified_finding",
"selectedEvidenceReason": "Selected the strongest retained canonical coverage evidence available for this row.",
"selectedEvidenceStrength": "moderate",
"weakerArtifactsIgnored": []
},
"statusBasis": "Canonical unified findings projected for this row."
}Cross-border endpoint review
ObservedGap observed
Transfer-relevant advertising, analytics, or behavioral tracking endpoints were observed for Microsoft Clarity, Microsoft Advertising / Bing UET, and Google Tag Manager. Additional third-party asset endpoints were retained as supporting runtime context.
Transfer-relevant advertising, analytics, or behavioral tracking endpoints were observed for Microsoft Clarity, Microsoft Advertising / Bing UET, and Google Tag Manager. Additional third-party asset endpoints were retained as supporting runtime context.
Advanced evidence
Transfer-relevant advertising, analytics, or behavioral tracking endpoints were observed for Microsoft Clarity, Microsoft Advertising / Bing UET, and Google Tag Manager. Additional third-party asset endpoints were retained as supporting runtime context.
{
"assessmentStatus": "gap_observed",
"coverageArea": "Transfer-relevant vendor disclosure gap",
"evidenceState": "observed",
"status": "Gap observed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.cross_border_endpoint_review.gap_observed",
"projectionStage": "unified_finding",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.cross_border_endpoint_review",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [
{
"id": "cross_border_endpoint_transfer_review_signal",
"label": "Cross-border endpoint transfer review signal",
"severity": "medium"
},
{
"id": "cross_border_vendor_disclosure_gap",
"label": "Cross-border vendor disclosure gap observed",
"severity": "medium"
}
],
"retainedEvidence": {
"evidenceHighlights": [
"Transfer-relevant advertising, analytics, or behavioral tracking endpoints were observed for Microsoft Clarity, Microsoft Advertising / Bing UET, and Google Tag Manager. Additional third-party asset endpoints were retained as supporting runtime context."
],
"evidenceRefs": [
"Cross-border endpoint transfer review signal",
"Review issue: Cross-border endpoint transfer review signal",
"Evidence flag: explicit_policy_snippet_retained",
"Evidence flag: contradiction_runtime_artifact_retained",
"Evidence flag: privacy.cross_border_endpoint_transfer_review_signal",
"Evidence strength: direct runtime"
],
"findingEntities": [
{
"id": "cross_border_endpoint_transfer_review_signal",
"entities": {
"endpointJurisdictionEvidence": [
"{\"confidence\":\"high\",\"etldPlusOne\":\"clarity.ms\",\"firstPartyStatus\":\"third_party\",\"host\":\"www.clarity.ms\",\"inferredCountryCode\":\"US\",\"inferredRegion\":\"US_OR_GLOBAL\",\"inferenceBasis\":\"known_runtime_service_domain\",\"matchedVendorCategory\":\"session_replay\",\"matchedVendorName\":\"Microsoft Clarity\",\"requestCount\":1,\"samplePaths\":[\"/tag/m97n86hou6\"],\"scriptCount\":1,\"sources\":[\"cookie\",\"request\",\"script\"],\"transferReviewSignal\":true}",
"{\"confidence\":\"high\",\"etldPlusOne\":\"clarity.ms\",\"firstPartyStatus\":\"third_party\",\"host\":\"c.clarity.ms\",\"inferredCountryCode\":\"US\",\"inferredRegion\":\"US_OR_GLOBAL\",\"inferenceBasis\":\"known_runtime_service_domain\",\"matchedVendorCategory\":\"session_replay\",\"matchedVendorName\":\"Microsoft Clarity\",\"requestCount\":2,\"samplePaths\":[\"/c.gif\"],\"scriptCount\":0,\"sources\":[\"cookie\",\"redirect\",\"request\"],\"transferReviewSignal\":true}",
"{\"confidence\":\"high\",\"etldPlusOne\":\"bing.com\",\"firstPartyStatus\":\"third_party\",\"host\":\"c.bing.com\",\"inferredCountryCode\":\"US\",\"inferredRegion\":\"US_OR_GLOBAL\",\"inferenceBasis\":\"known_runtime_service_domain\",\"matchedVendorCategory\":\"advertising\",\"matchedVendorName\":\"Microsoft Advertising / Bing UET\",\"requestCount\":1,\"samplePaths\":[\"/c.gif\"],\"scriptCount\":0,\"sources\":[\"cookie\",\"redirect\",\"request\"],\"transferReviewSignal\":true}",
"{\"confidence\":\"high\",\"etldPlusOne\":\"googletagmanager.com\",\"firstPartyStatus\":\"third_party\",\"host\":\"www.googletagmanager.com\",\"inferredCountryCode\":\"US\",\"inferredRegion\":\"US_OR_GLOBAL\",\"inferenceBasis\":\"known_runtime_service_domain\",\"matchedVendorCategory\":\"tag_manager\",\"matchedVendorName\":\"Google Tag Manager\",\"requestCount\":1,\"samplePaths\":[\"/gtag/js\"],\"scriptCount\":1,\"sources\":[\"request\",\"script\"],\"transferReviewSignal\":true}",
"{\"confidence\":\"high\",\"etldPlusOne\":\"clarity.ms\",\"firstPartyStatus\":\"third_party\",\"host\":\"scripts.clarity.ms\",\"inferredCountryCode\":\"US\",\"inferredRegion\":\"US_OR_GLOBAL\",\"inferenceBasis\":\"known_runtime_service_domain\",\"matchedVendorCategory\":\"session_replay\",\"matchedVendorName\":\"Microsoft Clarity\",\"requestCount\":1,\"samplePaths\":[\"/0.8.64/clarity.js\"],\"scriptCount\":1,\"sources\":[\"request\",\"script\"],\"transferReviewSignal\":true}"
],
"endpointTransferReviewHosts": [
"www.clarity.ms",
"c.clarity.ms",
"c.bing.com",
"www.googletagmanager.com",
"scripts.clarity.ms"
],
"endpointTransferReviewCountries": [
"US"
],
"endpointTransferReviewRegions": [
"US_OR_GLOBAL"
],
"endpointTransferReviewVendors": [
"Microsoft Clarity",
"Microsoft Advertising / Bing UET",
"Google Tag Manager"
]
},
"evidenceFlags": [
"explicit_policy_snippet_retained",
"contradiction_runtime_artifact_retained",
"privacy.cross_border_endpoint_transfer_review_signal"
],
"sourceRefs": [
"Review issue: Cross-border endpoint transfer review signal"
]
},
{
"id": "cross_border_vendor_disclosure_gap",
"entities": {
"findingSubtype": [
"runtime_vendor_not_disclosed"
],
"runtimeVendorDisclosureEvidence": [
"{\"subtype\":\"runtime_vendor_not_disclosed\",\"observedRuntimeDomains\":[\"www.clarity.ms\",\"www.googletagmanager.com\",\"scripts.clarity.ms\",\"c.clarity.ms\"],\"observedRuntimeVendors\":[\"Google Tag Manager\",\"Microsoft Clarity\"],\"unmatchedRuntimeDomains\":[\"www.clarity.ms\",\"www.googletagmanager.com\",\"scripts.clarity.ms\",\"c.clarity.ms\"],\"unmatchedRuntimeVendors\":[\"Google Tag Manager\",\"Microsoft Clarity\"],\"policySurfacesSearched\":[{\"type\":\"privacy_policy\",\"reached\":true,\"url\":\"https://www.kbdlab.io/privacy-policy\",\"snippet\":\"onalize the advertising content that you see on websites that you visit. Note that KBD Lab has no access to or control over these cookies that are used by third-party advertisers. Third Party Privacy Policies KBD Lab's Privacy Policy does not apply to other advertisers or websites. Thus, we are advising you to consult the respective Privacy Policies of these third-party ad servers for more detailed information. It may incl\",\"retainedEvidenceRef\":\"scan_document_sources:8eb991da-817b-4326-907c-8f2a42b619a5\",\"searchedTerms\":[\"Google Tag Manager\",\"google tag manager\",\"googletagmanager.com\",\"gtm\",\"Microsoft Clarity\",\"microsoft clarity\",\"clarity.ms\",\"clarity\"],\"unmatchedVendorNames\":[\"Google Tag Manager\",\"Microsoft Clarity\"]},{\"type\":\"other\",\"reached\":true,\"url\":\"https://www.kbdlab.io/terms-of-service\",\"snippet\":\"d have all necessary licenses and consents to do so; The Comments do not invade any intellectual property right, including without limitation copyright, patent or trademark of any third party; The Comments do not contain any defamatory, libelous, offensive, indecent or otherwise unlawful material which is an invasion of privacy The Comments will not be used to solicit or promote business or custom or present commercial activiti\",\"retainedEvidenceRef\":\"scan_document_sources:a68ec68c-7ad1-492a-ace0-0013382061a9\",\"searchedTerms\":[\"Google Tag Manager\",\"google tag manager\",\"googletagmanager.com\",\"gtm\",\"Microsoft Clarity\",\"microsoft clarity\",\"clarity.ms\",\"clarity\"],\"unmatchedVendorNames\":[\"Google Tag Manager\",\"Microsoft Clarity\"]}],\"matchedVendorDisclosureCount\":0,\"unmatchedVendorDisclosureCount\":2,\"mismatchRationale\":\"Observed runtime vendors (Google Tag Manager, Microsoft Clarity) were not clearly matched by name or known domain alias in retained policy disclosure surfaces.\",\"coverageStatus\":\"usable\",\"evidenceConfidence\":\"moderate\",\"directVsInferred\":\"direct\",\"privacyPolicyUrl\":\"https://www.kbdlab.io/privacy-policy\",\"categories\":[\"session_replay\",\"tag_manager\",\"unknown\"],\"parentFindingId\":\"policy_behavior_contradiction_detected\"}"
],
"observedRuntimeVendors": [
"Google Tag Manager",
"Microsoft Clarity"
],
"observedRuntimeDomains": [
"www.clarity.ms",
"www.googletagmanager.com",
"scripts.clarity.ms",
"c.clarity.ms"
],
"runtimeVendors": [
"Google Tag Manager",
"Microsoft Clarity"
]
},
"evidenceFlags": [
"explicit_policy_snippet_retained",
"contradiction_runtime_artifact_retained",
"privacy.cross_border_endpoint_transfer_review_signal",
"privacy.runtime_vendor_not_disclosed"
],
"sourceRefs": [
"Signal: Cross-border vendor disclosure gap observed"
]
}
],
"status": "Gap observed",
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "endpointJurisdictionEvidence+runtimeVendorDisclosureEvidence",
"selectedEvidenceReason": "Selected transfer-relevant endpoint evidence together with usable vendor-disclosure mismatch evidence.",
"selectedEvidenceStrength": "strong",
"weakerArtifactsIgnored": []
},
"statusBasis": "Canonical unified findings projected for this row."
}Consent control accessibility
Not observedChecked
No consent/privacy-control accessibility issue was retained in the tested context.
No consent/privacy-control accessibility issue was retained in the tested context.
Automated accessibility issues were retained for the tested page context, such as a general page or navigation control, but WS01 did not tie the retained examples to the observed consent banner, preference center, or privacy-choice controls.
Advanced evidence
Evidence accessibility audit context
{
"assessmentStatus": "checked",
"coverageArea": "Accessibility of consent controls",
"evidenceState": "not_observed",
"status": "Not observed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.accessibility_consent_controls.not_observed",
"projectionStage": "coverage_policy",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.accessibility_consent_controls",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [],
"retainedEvidence": {
"evidenceRefs": [
"Evidence: accessibility audit context"
],
"ariaIssueCount": 0,
"axeEvidenceRows": 2,
"buttonNameIssueCount": 0,
"consentSurfaceObserved": false,
"controlAccessibilityIssueCount": 0,
"controlAccessibilityIssueObserved": false,
"cookieConsentAccessibilityIssueObserved": false,
"examplesAreGeneralPageOnly": true,
"focusIssueCount": 0,
"gdprCookieConsentSurfaceObserved": false,
"keyboardIssueCount": 0,
"labelIssueCount": 0,
"linkNameIssueCount": 0,
"privacyAdChoiceSurfaceObserved": false,
"privacyChoiceAccessibilityIssueObserved": false,
"privacyChoiceSurfaceObserved": false,
"privacyControlObserved": false,
"visualAccessReviewRetained": true,
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "privacyControlAccessibility.scopeClassification",
"selectedEvidenceReason": "Retained accessibility evidence was not tied to a consent/privacy-control-specific issue.",
"selectedEvidenceStrength": "moderate",
"weakerArtifactsIgnored": []
},
"statusBasis": "Automated accessibility issues were retained for the tested page context, such as a general page or navigation control, but WS01 did not tie the retained examples to the observed consent banner, preference center, or privacy-choice controls."
}Public-web signals CertScore checked during this scan. Lack of a finding does not necessarily mean compliance; some areas may be not observed, not testable, or out of scope.
CertScore.ai can make mistakes. Treat automated public-web results as a review aid, not legal advice, certification, or a compliance determination; verify important conclusions against retained evidence.
Agent summary
Share this scan through the CertScore Pulse API using this report's scan ID.