Open navigation menu
Scan: kbdlab.ioi
CompletedCreated May 16, 2026, 12:56 PMExec Summary
Action NeededBenchmark: Commerce / retail
Immediate privacy and consent issues detected
Score note: Consent and pre-consent tracking risk is the main issue. CertScore did not confirm a first-layer GDPR/ePrivacy cookie consent banner, while advertising/analytics storage and tracking were observed before any recorded consent choice. Footer privacy/ad-choice controls were observed, but they do not establish a GDPR/ePrivacy accept/reject consent surface.
Overall score
Expected 72i67/100
67/100 overall score
3rd-party requests
Expected 24i11
11 3rd-party requests
Cookies before consent
Expected 2i15
15 cookies before consent
Top findings
Highest-priority issues
1 / 4
Consent timinghighStrong evidenceiSeen on ~18% of scanned top sitesi
Third-party tracking observed before recorded consent
Microsoft Clarity appeared before recorded consent; first classified signal at 4074ms after page load. Tracking before a clear user choice can undermine consent expectations.
Review focus
Confirm whether these services are intentionally allowed before consent or should be gated by consent controls.
Learn moreEvidence details
"Microsoft Clarity", "preConsent": true, "firstSeenMs": 4074
{
"id": "pre_consent_tracking_detected",
"label": "Third-party tracking observed before recorded consent",
"section": "Privacy & Tracking",
"criticality": "high",
"scanPriority": "critical",
"confidence": "strong",
"directVsInferred": "direct",
"evidenceSchema": "runtime_report_evidence",
"evidenceVersion": "1.1",
"evidenceConfidence": "strong",
"directnessClassification": "direct_observation",
"topFindingEligibility": {
"eligibility": "top_candidate",
"matchedCriteria": [
"runtime_timing",
"runtime_request_anchor",
"preconsent_adtech_replay_or_identifier_context"
],
"missingCorroborators": []
},
"publicReportEvidenceHandling": {
"queryStrings": "redacted_when_urls_are_included",
"cookieValues": "[redacted_for_public_report]",
"retainedArtifacts": "only fields present in this evidence packet are included"
},
"automationLimits": [
"Automated public-web observation for review, not a legal conclusion.",
"Not detected means not observed within scan scope, not proof of absence.",
"Runtime report evidence uses live scan artifacts; /findings sample JSON is illustrative reference copy."
],
"shortSummary": "Observed runtime behavior showed third-party tracking before any recorded consent choice. The first classified tracking request occurred at 4074ms, with representative vendors including Microsoft Clarity.",
"evidenceDetails": {
"scanContext": {
"scanMode": "initial_page_load",
"pageUrl": "https://www.kbdlab.io/"
},
"consentState": {
"userConsentActionObserved": false,
"trackingOccurredBeforeConsentChoice": true
},
"consentBasis": "No accept, reject, manage, or close interaction was recorded before the listed tracking requests.",
"timingAnalysis": null,
"timing": {
"firstThirdPartyTrackingRequestMs": 4074
},
"counts": {
"totalPreConsentThirdPartyTrackingRequests": 1,
"representativePreConsentTrackingRequests": 1,
"uniquePreConsentTrackingVendorsObserved": 1,
"preConsentTrackingCookies": 13,
"identifierLikeRequests": 0
},
"requestSelectionNote": "Representative requests are capped examples and are not exhaustive.",
"vendors": [
{
"name": "Microsoft Clarity",
"category": "session_replay",
"preConsent": true,
"firstSeenMs": 4074,
"representativeUrl": "https://www.clarity.ms/tag/m97n86hou6"
}
],
"directlyObservedPreConsentVendors": [
{
"name": "Microsoft Clarity",
"category": "session_replay",
"preConsent": true,
"firstSeenMs": 4074
}
],
"relatedOrInferredVendors": [
{
"name": "Microsoft Advertising / Bing UET",
"category": "advertising_measurement",
"preConsent": true
},
{
"name": "Google Tag Manager",
"category": "tag_manager",
"preConsent": true
}
],
"vendorEvidenceCompleteness": {
"directVendorAnchorsOmittedFromPublicPacket": false,
"representativeRequestsCapped": false,
"relatedVendorAttributionLimitedByAnchors": true,
"someVendorAnchorsOmittedFromPublicPacket": false,
"vendorDisplayLimitedToAnchoredEvidence": true
},
"representativeRequests": [
{
"hostname": "www.clarity.ms",
"registrableDomain": "clarity.ms",
"vendorName": "Microsoft Clarity",
"vendorCategory": "session_replay",
"vendorAttributionBasis": "observed_request",
"relatedOrInitiatingVendor": null,
"classificationBasis": "observed_request",
"collectionEndpointType": null,
"firstPartyOrThirdParty": null,
"matchedSignatureId": null,
"firstSeenMs": 4074,
"consentActionMs": null,
"noConsentActionObserved": true,
"consentSurfaceObserved": null,
"consentInteractionRecorded": false,
"confidence": null,
"runtimePhase": null
}
],
"identifierEvidence": {
"addressingOrSignalingTransmittedByRequest": true,
"identifierLikeRequestCount": 0,
"deviceDataLikeRequestCount": 0,
"interpretation": "Standard browser HTTP requests to third-party domains transmit network-level addressing information required for routing."
},
"policyEvidence": {
"evaluated": false
},
"limitations": [
"Automated scan does not determine legal status.",
"Network requests show browser-to-third-party communication, not the full downstream use of data."
]
}
}Regulatory contextGDPR / ePrivacyCCPA / CPRAFTC
Consent timing: tracking before recorded choice
Runtime evidence showed a classified non-essential tracking, analytics, advertising, cross-site measurement, or storage signal before CertScore observed a consent action or a prior consent state associated with that purpose. This may be relevant to consent timing, cookie/tracker, storage, transparency, and user-choice review depending on jurisdiction, purpose, configuration, and exemptions. This is shown as regulatory review context for the scanned report finding, not as a determination that any law applies or was breached.
View applicability notes
This finding does not determine legal status. Review the retained runtime anchors, vendor purpose, necessity, consent state, disclosure, region targeting, CMP configuration, prior consent state, and any applicable exemptions.
ePrivacy Article 5(3) storage/access review: Cookies, local storage, device identifiers, or similar terminal-equipment access occurs before consent or outside a recognized exemption.
GDPR valid consent review: Consent is used as the lawful basis for personal-data processing or for cookie/device-access consent.
GDPR transparency and data protection by default review: Personal data, online identifiers, profiling, or third-party disclosure may be involved.
EU ePrivacy/GDPR tracking consent review: EU/EEA users, cookies, device access, analytics, advertising, or profiling may be in scope depending on purpose, consent state, jurisdictional context, and manual review.
UK PECR / ICO cookie consent review: UK users and non-essential cookies or similar technologies may be in scope depending on purpose, consent state, jurisdictional context, and manual review.
CCPA/CPRA sale, share, or cross-context advertising review: California users and the observed non-essential advertising, analytics, identifier-sharing, or vendor activity could be relevant to sale/share, cross-context behavioral advertising, or opt-out honoring review; pre-consent timing alone does not determine sale/share status.
FTC privacy claim review: Runtime behavior may conflict with public statements, consent claims, or privacy representations.
Signal snapshot
Review lenses
Consent platform
No consent banner observed
No working consent banner was retained for this scan.
Tracker footprint
View observed vendors and domains9 total: 2 vendors, 7 domain
Observed vendors and domains
Google Tag Manager· vendorMicrosoft Clarity· vendorkbdlabimages.s3.us-eas...· domainvitals.vercel-insights...· domainwww.googletagmanager.c...· domainwww.clarity.ms· domainscripts.clarity.ms· domainc.clarity.ms· domainc.bing.com· domain
Policy Surfaces
Privacy policy
https://www.kbdlab.io/privacy-policy
- The policy outlines CCPA and GDPR rights, including data access and deletion requests, and emphasizes children's privacy protection. — KBD Lab's Privacy Policy outlines data collection practices, user rights under CCPA, and contact information for inquiries.
- Topics: Gdpr, Ccpa Or Cpra, Data Retention, Children
- Flags: Missing Dsar, Vague Policy Language, Vague Retention
Terms of service
https://www.kbdlab.io/terms-of-service
- The Terms of Service for KBD Lab are governed by the laws of the Netherlands and do not mention arbitration. — The terms include a disclaimer of liability and state that the website is provided free of charge.
Fingerprinting
No probable fingerprinting detected
Minor fingerprinting indicators retained for review.
5 fingerprint indicators retained
Fingerprint evidence
Observed 6 fingerprint-relevant attribute categories.Observed canvas or WebGL API access associated with device rendering fingerprinting.Multiple attribute categories were accessed in a short window.Observed outbound third-party requests after collection.Collection started before consent UI was observed.
Regulatory checklists
BetaGDPR / ePrivacy
Score: 28/100Needs work3 gaps1 review5 checked2 not testable
GDPR / ePrivacy
Score: 28/1003 gaps1 review5 checked2 not testable
GDPR / ePrivacy review summary
Consent and pre-consent tracking risk is the main issue. 9 of 11 in-scope rows had usable automated evidence. 3 gaps observed, 1 review signal. Review retained evidence for consent timing, refusal behavior, post-choice controls, runtime vendor disclosure alignment, and cross-border analytics/tracking endpoint context.
Coverage areaScan-context note
Consent banner / preference surface
Not observedChecked
No actionable cookie/consent banner or preference surface was observed in the tested context.
No actionable cookie/consent banner or preference surface was observed in the tested context.
Runtime consent-surface checks completed for the tested context and did not retain an actionable consent surface.
Advanced evidence
Evidence retained consent surface observation
{
"assessmentStatus": "checked",
"coverageArea": "Consent banner / preference surface",
"evidenceState": "not_observed",
"status": "Not observed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.consent_surface_observed.not_observed",
"projectionStage": "coverage_policy",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.consent_surface_observed",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [],
"retainedEvidence": {
"evidenceRefs": [
"Evidence: retained consent surface observation"
],
"consentSurfaceObserved": false,
"runtimeCaptureCompleted": true,
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "consentControlLifecycleEvidence.surfaceClassification",
"selectedEvidenceReason": "Retained evidence did not confirm an uncontaminated first-layer GDPR/ePrivacy cookie/CMP consent surface.",
"selectedEvidenceStrength": "missing",
"weakerArtifactsIgnored": []
},
"statusBasis": "Runtime consent-surface checks completed for the tested context and did not retain an actionable consent surface."
}Cookies or storage before consent
ObservedGap observed
Non-essential cookies or browser storage were observed before a recorded consent action.
Non-essential cookies or browser storage were observed before a recorded consent action.
Advanced evidence
Storage observed before consent: Microsoft Clarity and Microsoft Advertising / Bing UET on www.clarity.ms, c.clarity.ms, and .clarity.ms.
"Microsoft Clarity", "preConsent": true, "category": "session_replay", "domain": "www.clarity.ms"
"Microsoft Clarity", "preConsent": true, "category": "session_replay", "domain": "c.clarity.ms"
{
"assessmentStatus": "gap_observed",
"coverageArea": "Storage before consent observed",
"evidenceState": "observed",
"status": "Gap observed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.pre_consent_cookies_storage.gap_observed",
"projectionStage": "executive_projection",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.pre_consent_cookies_storage",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [
{
"id": "analytics_cookie_pre_consent",
"label": "Analytics cookies before consent"
},
{
"id": "third_party_cookie_pre_consent",
"label": "Third-party cookie or storage observed before consent"
}
],
"retainedEvidence": {
"evidenceHighlights": [
"Storage observed before consent: Microsoft Clarity and Microsoft Advertising / Bing UET on www.clarity.ms, c.clarity.ms, and .clarity.ms.",
"\"Microsoft Clarity\", \"preConsent\": true, \"category\": \"session_replay\", \"domain\": \"www.clarity.ms\"",
"\"Microsoft Clarity\", \"preConsent\": true, \"category\": \"session_replay\", \"domain\": \"c.clarity.ms\""
],
"evidenceRefs": [
"Analytics cookies before consent",
"Observed before a clear user choice was made.",
"privacy.preconsent_tracking_detected",
"Runtime vendor: Microsoft Clarity",
"Runtime vendor: Microsoft Advertising / Bing UET",
"Third-party cookie or storage observed before consent"
],
"projectedFindingPreview": [
{
"id": "analytics_cookie_pre_consent",
"evidencePreview": [
"Observed before a clear user choice was made.",
"privacy.preconsent_tracking_detected",
"Runtime vendor: Microsoft Clarity",
"Runtime vendor: Microsoft Advertising / Bing UET"
],
"label": "Analytics cookies before consent"
},
{
"id": "third_party_cookie_pre_consent",
"evidencePreview": [
"Observed before a clear user choice was made.",
"privacy.preconsent_tracking_detected",
"Runtime vendor: Microsoft Clarity",
"Runtime vendor: Microsoft Advertising / Bing UET"
],
"label": "Third-party cookie or storage observed before consent"
}
],
"status": "Gap observed",
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "preConsentCookieOrStorageEvidence.concreteStorageArtifacts",
"selectedEvidenceReason": "Selected retained concrete cookie/storage evidence for storage timing; request-only tracking evidence is not used as storage proof.",
"selectedEvidenceStrength": "strong",
"weakerArtifactsIgnored": []
},
"statusBasis": "Executive/regulatory projection already retained finding evidence for this row."
}Third-party tracking before consent
ObservedGap observed
Analytics, advertising, cross-site measurement, or similar third-party requests were observed before recorded consent.
Analytics, advertising, cross-site measurement, or similar third-party requests were observed before recorded consent.
Advanced evidence
Tracking requests observed before consent: Microsoft Clarity; firstSeenMs 4074.
"Microsoft Clarity", "preConsent": true, "firstSeenMs": 4074, "category": "session_replay"
"Microsoft Clarity", "preConsent": true, "firstSeenMs": 4074, "consentState": "pre_consent", "category": "session_replay"
{
"assessmentStatus": "gap_observed",
"coverageArea": "Advertising and analytics before consent",
"evidenceState": "observed",
"status": "Gap observed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.pre_consent_third_party_tracking.gap_observed",
"projectionStage": "unified_finding",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.pre_consent_third_party_tracking",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [
{
"id": "preconsent_tracking",
"label": "Third-party tracking observed before recorded consent",
"severity": "high"
}
],
"retainedEvidence": {
"evidenceHighlights": [
"Tracking requests observed before consent: Microsoft Clarity; firstSeenMs 4074.",
"\"Microsoft Clarity\", \"preConsent\": true, \"firstSeenMs\": 4074, \"category\": \"session_replay\"",
"\"Microsoft Clarity\", \"preConsent\": true, \"firstSeenMs\": 4074, \"consentState\": \"pre_consent\", \"category\": \"session_replay\""
],
"evidenceRefs": [
"Third-party tracking observed before recorded consent",
"Signal: Pre-consent tracking detected",
"Review issue: Pre-consent tracking incidents detected",
"Evidence flag: explicit_policy_snippet_retained",
"Evidence flag: contradiction_runtime_artifact_retained",
"Evidence flag: privacy.preconsent_tracking_detected"
],
"findingEntities": [
{
"id": "preconsent_tracking",
"entities": {
"findingSubtype": [
"runtime_vendor_not_disclosed",
"consent_governance_disclosure_gap"
],
"consentGovernanceDisclosureEvidence": [
"{\"concernId\":\"consent_governance_disclosure_gap\",\"relevanceTriggers\":{\"consentBannerObserved\":false,\"consentRelevantTrackingObserved\":true},\"missingOrWeakDisclosureSignals\":{},\"supportingAnchors\":{\"cookiePolicyUrls\":[],\"observedConsentVendors\":[],\"observedControls\":[],\"observedTrackingVendors\":[\"Microsoft Advertising / Bing UET\",\"Microsoft Clarity\",\"Google Tag Manager\"],\"policyUrls\":[],\"preferenceCenterUrls\":[],\"runtimeAnchors\":[\"https://c.bing.com/c.gif?ctsa=mr&CtsSyncId=C7267349A81443D1A6A3B679D7FD15C3&RedC=c.clarity.ms&MXFR=2FA7399B12026C4230A42EC016026250\",\"https://www.clarity.ms/tag/m97n86hou6\",\"https://c.clarity.ms/c.gif\",\"https://c.clarity.ms/c.gif?ctsa=mr&CtsSyncId=C7267349A81443D1A6A3B679D7FD15C3&MUID=3D1C307C63F46CF12E10272762776D3E\",\"script_host:c.bing.com\",\"script_host:www.clarity.ms\",\"script_host:www.googletagmanager.com\"],\"textAnchors\":[]},\"coverage\":{}}"
],
"preconsent_cookie_categories": [
"analytics",
"advertising",
"session_replay",
"necessary",
"unknown"
],
"preconsent_cookie_excluded_functional_names": [
"__Host-next-auth.csrf-token"
],
"preconsent_cookie_initiator_domains": [
"www.clarity.ms",
"c.clarity.ms",
"c.bing.com",
".c.bing.com",
".c.clarity.ms"
]
},
"evidenceFlags": [
"explicit_policy_snippet_retained",
"contradiction_runtime_artifact_retained",
"privacy.preconsent_tracking_detected",
"privacy.tracking_before_consent_detected"
],
"sourceRefs": [
"Signal: Pre-consent tracking detected",
"Review issue: Pre-consent tracking incidents detected"
]
}
],
"status": "Gap observed",
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "preConsentTrackingRequestEvidence",
"selectedEvidenceReason": "Selected retained pre-consent request/vendor timing evidence; storage evidence is evaluated separately.",
"selectedEvidenceStrength": "strong",
"weakerArtifactsIgnored": []
},
"statusBasis": "Canonical unified finding projected for this row."
}Decline / reject option availability
Not observedChecked
Reject-path availability was not resolved from the retained consent-surface evidence.
Reject-path availability was not resolved from the retained consent-surface evidence.
No reject-path availability finding was surfaced in this scan context.
Advanced evidence
{
"assessmentStatus": "checked",
"coverageArea": "Decline / reject option availability",
"evidenceState": "not_observed",
"status": "Not observed",
"missingOrIncompleteSourceSignals": [
{
"actual": "missing",
"expected": "row-specific retained policy outcome or projected finding",
"field": "WC01.coverageOutcomes.reject_all_path_availability",
"source": "WC01",
"whyNeeded": "Required to prove this row status from retained canonical evidence rather than default checklist fallback."
}
],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.reject_all_path_availability.not_observed",
"projectionStage": "coverage_fallback",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.reject_all_path_availability",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [],
"retainedEvidence": {
"status": "Not observed",
"missingEvidenceNeeded": [
"WC01.coverageOutcomes.reject_all_path_availability: Required to prove this row status from retained canonical evidence rather than default checklist fallback."
],
"selectedEvidenceArtifactId": "rejectPathDepthAndAvailability",
"selectedEvidenceReason": "Selected retained same-surface reject-path or post-reject comparison evidence.",
"selectedEvidenceStrength": "limited",
"weakerArtifactsIgnored": []
},
"statusBasis": "No reject-path availability finding was surfaced in this scan context."
}Tracking after refusal
Not observedChecked
Post-reject tracking reduction evidence did not produce an eligible gap signal.
Post-reject tracking reduction evidence did not produce an eligible gap signal.
No post-reject tracking persistence finding was surfaced in this scan context.
Advanced evidence
{
"assessmentStatus": "checked",
"coverageArea": "Tracking after refusal",
"evidenceState": "not_observed",
"status": "Not observed",
"missingOrIncompleteSourceSignals": [
{
"actual": "missing",
"expected": "row-specific retained policy outcome or projected finding",
"field": "WC01.coverageOutcomes.post_reject_tracking_reduction",
"source": "WC01",
"whyNeeded": "Required to prove this row status from retained canonical evidence rather than default checklist fallback."
}
],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.post_reject_tracking_reduction.not_observed",
"projectionStage": "coverage_fallback",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.post_reject_tracking_reduction",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [],
"retainedEvidence": {
"status": "Not observed",
"missingEvidenceNeeded": [
"WC01.coverageOutcomes.post_reject_tracking_reduction: Required to prove this row status from retained canonical evidence rather than default checklist fallback."
],
"selectedEvidenceArtifactId": "postRejectTrackingReductionEvidence",
"selectedEvidenceReason": "Selected retained same-surface reject-path or post-reject comparison evidence.",
"selectedEvidenceStrength": "limited",
"weakerArtifactsIgnored": []
},
"statusBasis": "No post-reject tracking persistence finding was surfaced in this scan context."
}Post-choice consent controls
Not observedChecked
No way to reopen or change consent preferences after the initial choice was observed.
No way to reopen or change consent preferences after the initial choice was observed.
No consent preference reopen-control finding was surfaced in this scan context.
Advanced evidence
{
"assessmentStatus": "checked",
"coverageArea": "Post-choice consent controls",
"evidenceState": "not_observed",
"status": "Not observed",
"missingOrIncompleteSourceSignals": [
{
"actual": "missing",
"expected": "row-specific retained policy outcome or projected finding",
"field": "WC01.coverageOutcomes.preference_withdrawal_control",
"source": "WC01",
"whyNeeded": "Required to prove this row status from retained canonical evidence rather than default checklist fallback."
}
],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.preference_withdrawal_control.not_observed",
"projectionStage": "coverage_fallback",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.preference_withdrawal_control",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [],
"retainedEvidence": {
"status": "Not observed",
"missingEvidenceNeeded": [
"WC01.coverageOutcomes.preference_withdrawal_control: Required to prove this row status from retained canonical evidence rather than default checklist fallback."
],
"selectedEvidenceArtifactId": "coverage_fallback",
"selectedEvidenceReason": "Selected the strongest retained canonical coverage evidence available for this row.",
"selectedEvidenceStrength": "limited",
"weakerArtifactsIgnored": []
},
"statusBasis": "No consent preference reopen-control finding was surfaced in this scan context."
}Runtime vendors vs. disclosures
ObservedGap observed
Observed runtime vendors were not clearly matched in the reviewed public privacy/cookie disclosures.
Observed runtime vendors were not clearly matched in the reviewed public privacy/cookie disclosures.
Advanced evidence
Policy/behavior conflict
Signal Runtime vendor disclosure alignment review
Evidence explicit policy snippet retained
{
"assessmentStatus": "gap_observed",
"coverageArea": "Runtime vendors vs. disclosures",
"evidenceState": "observed",
"status": "Gap observed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.runtime_vendor_disclosure_alignment.gap_observed",
"projectionStage": "unified_finding",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.runtime_vendor_disclosure_alignment",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [
{
"id": "policy_behavior_conflict",
"label": "Policy/behavior conflict",
"severity": "medium"
}
],
"retainedEvidence": {
"evidenceHighlights": [],
"evidenceRefs": [
"Policy/behavior conflict",
"Signal: Runtime vendor disclosure alignment review",
"Evidence flag: explicit_policy_snippet_retained",
"Evidence flag: contradiction_runtime_artifact_retained",
"Evidence flag: context.policy_behavior_conflict_detected",
"Evidence strength: direct runtime"
],
"findingEntities": [
{
"id": "policy_behavior_conflict",
"entities": {
"findingSubtype": [
"runtime_vendor_not_disclosed",
"consent_governance_disclosure_gap"
],
"runtimeVendorDisclosureEvidence": [
"{\"subtype\":\"runtime_vendor_not_disclosed\",\"observedRuntimeDomains\":[\"www.googletagmanager.com\",\"www.clarity.ms\",\"scripts.clarity.ms\",\"c.clarity.ms\"],\"observedRuntimeVendors\":[\"Google Tag Manager\",\"Microsoft Clarity\"],\"unmatchedRuntimeDomains\":[\"www.googletagmanager.com\",\"www.clarity.ms\",\"scripts.clarity.ms\",\"c.clarity.ms\"],\"unmatchedRuntimeVendors\":[\"Google Tag Manager\",\"Microsoft Clarity\"],\"policySurfacesSearched\":[{\"type\":\"privacy_policy\",\"reached\":true,\"url\":\"https://www.kbdlab.io/privacy-policy\",\"snippet\":\"onalize the advertising content that you see on websites that you visit. Note that KBD Lab has no access to or control over these cookies that are used by third-party advertisers. Third Party Privacy Policies KBD Lab's Privacy Policy does not apply to other advertisers or websites. Thus, we are advising you to consult the respective Privacy Policies of these third-party ad servers for more detailed information. It may incl\",\"retainedEvidenceRef\":\"scan_document_sources:9565e6e8-37cf-4dd6-b639-045ea6f44fa9\",\"searchedTerms\":[\"Google Tag Manager\",\"google tag manager\",\"googletagmanager.com\",\"gtm\",\"Microsoft Clarity\",\"microsoft clarity\",\"clarity.ms\",\"clarity\"],\"unmatchedVendorNames\":[\"Google Tag Manager\",\"Microsoft Clarity\"]},{\"type\":\"other\",\"reached\":true,\"url\":\"https://www.kbdlab.io/terms-of-service\",\"snippet\":\"d have all necessary licenses and consents to do so; The Comments do not invade any intellectual property right, including without limitation copyright, patent or trademark of any third party; The Comments do not contain any defamatory, libelous, offensive, indecent or otherwise unlawful material which is an invasion of privacy The Comments will not be used to solicit or promote business or custom or present commercial activiti\",\"retainedEvidenceRef\":\"scan_document_sources:ddf9b764-a4d5-4425-b5db-b2702b019730\",\"searchedTerms\":[\"Google Tag Manager\",\"google tag manager\",\"googletagmanager.com\",\"gtm\",\"Microsoft Clarity\",\"microsoft clarity\",\"clarity.ms\",\"clarity\"],\"unmatchedVendorNames\":[\"Google Tag Manager\",\"Microsoft Clarity\"]}],\"matchedVendorDisclosureCount\":0,\"unmatchedVendorDisclosureCount\":2,\"mismatchRationale\":\"Observed runtime vendors (Google Tag Manager, Microsoft Clarity) were not clearly matched by name or known domain alias in retained policy disclosure surfaces.\",\"coverageStatus\":\"usable\",\"evidenceConfidence\":\"moderate\",\"directVsInferred\":\"direct\",\"privacyPolicyUrl\":\"https://www.kbdlab.io/privacy-policy\",\"categories\":[\"functional\",\"session_replay\",\"tag_manager\"],\"parentFindingId\":\"policy_behavior_contradiction_detected\"}"
],
"observedRuntimeVendors": [
"Google Tag Manager",
"Microsoft Clarity"
],
"observedRuntimeDomains": [
"www.googletagmanager.com",
"www.clarity.ms",
"scripts.clarity.ms",
"c.clarity.ms"
],
"runtimeVendors": [
"Google Tag Manager",
"Microsoft Clarity"
]
},
"evidenceFlags": [
"explicit_policy_snippet_retained",
"contradiction_runtime_artifact_retained",
"context.policy_behavior_conflict_detected"
],
"sourceRefs": [
"Signal: Runtime vendor disclosure alignment review"
]
}
],
"status": "Gap observed",
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "runtimeVendorDisclosureEvidence.strongestUsableMismatch",
"selectedEvidenceReason": "Selected the usable direct runtime-vendor disclosure comparison row with observed vendors, unmatched vendors/domains, searched policy surfaces, confidence, and mismatch rationale.",
"selectedEvidenceStrength": "strong",
"weakerArtifactsIgnored": [
{
"artifactId": "runtimeVendorDisclosureEvidence.coverage_unknown",
"reason": "Weaker coverage-unknown rows are not selected when a usable direct vendor-disclosure mismatch row is retained."
}
]
},
"statusBasis": "Canonical unified finding projected for this row."
}Sensitive forms with third-party tracking
Not observedChecked
No eligible sensitive forms or flows were observed alongside third-party tracking in the tested context.
No eligible sensitive forms or flows were observed alongside third-party tracking in the tested context.
Sensitive-field correlation completed for the tested context and did not retain eligible sensitive fields alongside third-party tracking.
Advanced evidence
Evidence sensitive third-party tracking correlation completed
{
"assessmentStatus": "checked",
"coverageArea": "Sensitive surfaces with third-party tracking",
"evidenceState": "not_observed",
"status": "Not observed",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.sensitive_surfaces_third_party_tracking.not_observed",
"projectionStage": "coverage_policy",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.sensitive_surfaces_third_party_tracking",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [],
"retainedEvidence": {
"evidenceRefs": [
"Evidence: sensitive third-party tracking correlation completed"
],
"eligibleSensitiveFieldCount": 0,
"rawSensitiveFieldCount": 0,
"sensitiveThirdPartyTrackingCorrelationStatus": "ok",
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "sensitiveThirdPartyTrackingCorrelation",
"selectedEvidenceReason": "Retained sensitive-surface evidence does not conclusively establish direct same-context sensitive-field tracking correlation.",
"selectedEvidenceStrength": "moderate",
"weakerArtifactsIgnored": []
},
"statusBasis": "Sensitive-field correlation completed for the tested context and did not retain eligible sensitive fields alongside third-party tracking."
}Session replay / behavioral analytics
ObservedReview signal
CertScore observed session replay or behavioral analytics vendors not observed pre-consent in retained evidence, including Microsoft Clarity. Because these tools can capture user interaction behavior, review consent timing, disclosure, masking/exclusion settings, sensitive-page coverage, and withdrawal controls.
CertScore observed session replay or behavioral analytics vendors not observed pre-consent in retained evidence, including Microsoft Clarity. Because these tools can capture user interaction behavior, review consent timing, disclosure, masking/exclusion settings, sensitive-page coverage, and withdrawal controls.
Advanced evidence
Why this surfaced: coordinated browser/device entropy collection was retained for review, with no retained proof of identity-oriented fingerprinting.
Stronger retained primitives: hardware/device attribute collection, canvas/WebGL access.
Additional browser context: screen/viewport, network/device state, timezone/locale, storage capability.
{
"assessmentStatus": "review_signal",
"coverageArea": "Session replay / behavioral analytics observed",
"evidenceState": "observed",
"status": "Review signal",
"missingOrIncompleteSourceSignals": [],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.session_replay_fingerprinting_review.review_signal",
"projectionStage": "unified_finding",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.session_replay_fingerprinting_review",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [
{
"id": "fingerprinting_observed",
"label": "Fingerprinting observed",
"severity": "high"
},
{
"id": "session_replay_observed",
"label": "Session replay observed",
"severity": "high"
}
],
"retainedEvidence": {
"evidenceHighlights": [
"Why this surfaced: coordinated browser/device entropy collection was retained for review, with no retained proof of identity-oriented fingerprinting.",
"Stronger retained primitives: hardware/device attribute collection, canvas/WebGL access.",
"Additional browser context: screen/viewport, network/device state, timezone/locale, storage capability."
],
"evidenceRefs": [
"Fingerprinting observed",
"Signal: Fingerprinting detected",
"Evidence flag: contradiction_runtime_artifact_retained",
"Evidence flag: privacy.fingerprinting_detected",
"Evidence strength: direct runtime",
"Evidence strength: fallback only"
],
"findingEntities": [
{
"id": "fingerprinting_observed",
"entities": {
"findingSubtype": [
"consent_governance_disclosure_gap"
],
"consentGovernanceDisclosureEvidence": [
"{\"concernId\":\"consent_governance_disclosure_gap\",\"relevanceTriggers\":{},\"missingOrWeakDisclosureSignals\":{},\"supportingAnchors\":{\"cookiePolicyUrls\":[],\"observedConsentVendors\":[],\"observedControls\":[],\"observedTrackingVendors\":[],\"policyUrls\":[],\"preferenceCenterUrls\":[],\"runtimeAnchors\":[\"hybrid_runtime_evidence\"],\"textAnchors\":[]},\"coverage\":{}}"
],
"fingerprintAttributeCategories": [
"screen_viewport",
"hardware",
"network_device_state",
"timezone_locale",
"storage"
],
"fingerprintingSignals": [
"screen_viewport",
"hardware",
"network_device_state",
"timezone_locale",
"storage"
],
"fingerprintingRuntimeEvidence": [
"{\"host\":\"kbdlabimages.s3.us-east-2.amazonaws.com\",\"tier\":2,\"vendor\":null,\"requestUrl\":\"https://kbdlabimages.s3.us-east-2.amazonaws.com/jay-zhang-v5YJ1BSTHM0-unsplash.webp\",\"artifactRef\":\"ae77a8777ca0c2df228cda94f0a325a2d954016860a5077a488967099214dd8b\",\"runtimePhase\":\"unknown\",\"scriptOrigin\":\"unknown\",\"evidenceSource\":\"fingerprint_api_runtime_event\",\"firstEventTsMs\":2111,\"attributeCategories\":[\"screen_viewport\",\"hardware\",\"network_device_state\",\"timezone_locale\",\"storage\",\"canvas_webgl\"],\"knownBotLibraryMatch\":null,\"knownFingerprintLibraryMatch\":null}"
]
},
"evidenceFlags": [
"contradiction_runtime_artifact_retained",
"privacy.fingerprinting_detected"
],
"sourceRefs": [
"Signal: Fingerprinting detected"
]
},
{
"id": "session_replay_observed",
"entities": {
"findingSubtype": [
"consent_governance_disclosure_gap"
],
"consentGovernanceDisclosureEvidence": [
"{\"concernId\":\"consent_governance_disclosure_gap\",\"relevanceTriggers\":{},\"missingOrWeakDisclosureSignals\":{},\"supportingAnchors\":{\"cookiePolicyUrls\":[],\"observedConsentVendors\":[],\"observedControls\":[],\"observedTrackingVendors\":[\"Microsoft Clarity\"],\"policyUrls\":[],\"preferenceCenterUrls\":[],\"runtimeAnchors\":[\"session_replay_vendor:Microsoft Clarity\"],\"textAnchors\":[]},\"coverage\":{}}"
],
"observedTrackingVendors": [
"Microsoft Clarity"
],
"runtimeRequestUrls": [
"https://www.clarity.ms",
"https://www.clarity.ms/tag/m97n86hou6",
"https://scripts.clarity.ms/0.8.64/clarity.js",
"https://c.clarity.ms/c.gif"
],
"session_replay_runtime_vendors": [
"Microsoft Clarity"
]
},
"evidenceFlags": [
"contradiction_runtime_artifact_retained",
"privacy.session_replay_runtime_detected",
"privacy.session_replay_runtime_vendors",
"commerce.session_replay_tool_detected"
],
"sourceRefs": [
"Signal: Session replay runtime detected",
"Signal: Session replay runtime vendors",
"Signal: Session replay tool detected"
]
}
],
"status": "Review signal",
"missingEvidenceNeeded": [],
"selectedEvidenceArtifactId": "unified_finding",
"selectedEvidenceReason": "Selected the strongest retained canonical coverage evidence available for this row.",
"selectedEvidenceStrength": "missing",
"weakerArtifactsIgnored": []
},
"statusBasis": "Canonical unified findings projected for this row."
}Cross-border endpoint review
Not testableCoverage limitation
No public-web international transfer review signal was projected from observed third-party endpoints.
No public-web international transfer review signal was projected from observed third-party endpoints.
Third-party endpoint inventory was retained, but endpoint jurisdiction or transfer-region evidence was not retained for this scan.
Advanced evidence
Third-party endpoint domains observed 7
{
"assessmentStatus": "coverage_limitation",
"coverageArea": "Cross-border analytics / tracking endpoint review",
"evidenceState": "not_testable",
"status": "Not testable",
"missingOrIncompleteSourceSignals": [
{
"actual": 0,
"expected": "one or more endpoint jurisdiction evidence rows",
"field": "hybridRuntimeEvidence.endpointJurisdictionEvidence",
"source": "WS01",
"whyNeeded": "Required to evaluate whether observed third-party endpoints create a transfer-region review signal."
}
],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.cross_border_endpoint_review.not_testable",
"projectionStage": "coverage_policy",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.cross_border_endpoint_review",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [],
"retainedEvidence": {
"evidenceRefs": [
"Third-party endpoint domains observed: 7"
],
"endpointJurisdictionRows": 0,
"thirdPartyDomainCount": 7,
"missingEvidenceNeeded": [
"Endpoint geography plus usable disclosure mismatch for transfer-relevant vendors before rendering a gap.",
"hybridRuntimeEvidence.endpointJurisdictionEvidence: Required to evaluate whether observed third-party endpoints create a transfer-region review signal."
],
"selectedEvidenceArtifactId": "endpointJurisdictionEvidence",
"selectedEvidenceReason": "Endpoint geography is retained as a transfer-review signal; gap-level status requires a usable transfer-relevant disclosure mismatch.",
"selectedEvidenceStrength": "moderate",
"weakerArtifactsIgnored": []
},
"statusBasis": "Third-party endpoint inventory was retained, but endpoint jurisdiction or transfer-region evidence was not retained for this scan."
}Consent control accessibility
Not testableCoverage limitation
No consent/privacy-control accessibility issue was retained in the tested context.
No consent/privacy-control accessibility issue was retained in the tested context.
Consent/privacy control accessibility was not testable because no usable consent/privacy-control accessibility evidence was retained.
Advanced evidence
Evidence accessibility audit context
{
"assessmentStatus": "coverage_limitation",
"coverageArea": "Accessibility of consent controls",
"evidenceState": "not_testable",
"status": "Not testable",
"missingOrIncompleteSourceSignals": [
{
"actual": false,
"expected": true,
"field": "consentPrivacyControlObserved",
"source": "WS01",
"whyNeeded": "Required before WC01 can evaluate accessibility evidence for consent or privacy-choice controls."
}
],
"pipeline": {
"concernPolicyKey": "gdpr_eprivacy_coverage.accessibility_consent_controls.not_testable",
"projectionStage": "coverage_policy",
"wc01NormalizedConcernKey": "gdpr_eprivacy.coverage.accessibility_consent_controls",
"ws01EvidenceRole": "observed runtime signal identification, evidence capture, and logging"
},
"projectedFindings": [],
"retainedEvidence": {
"evidenceRefs": [
"Evidence: accessibility audit context"
],
"ariaIssueCount": 0,
"axeEvidenceRows": 2,
"consentSurfaceObserved": false,
"controlAccessibilityIssueCount": 0,
"focusIssueCount": 0,
"keyboardIssueCount": 0,
"labelIssueCount": 0,
"visualAccessReviewRetained": false,
"missingEvidenceNeeded": [
"Control-specific accessibility issue tied to a retained cookie-consent or privacy-choice control.",
"consentPrivacyControlObserved: Required before WC01 can evaluate accessibility evidence for consent or privacy-choice controls."
],
"selectedEvidenceArtifactId": "privacyControlAccessibility.scopeClassification",
"selectedEvidenceReason": "Retained accessibility evidence was not tied to a consent/privacy-control-specific issue.",
"selectedEvidenceStrength": "missing",
"weakerArtifactsIgnored": []
},
"statusBasis": "Consent/privacy control accessibility was not testable because no usable consent/privacy-control accessibility evidence was retained."
}Public-web signals CertScore checked during this scan. Lack of a finding does not necessarily mean compliance; some areas may be not observed, not testable, or out of scope.
CertScore.ai can make mistakes. Treat automated public-web results as a review aid, not legal advice, certification, or a compliance determination; verify important conclusions against retained evidence.
Agent summary
Share this scan through the CertScore Pulse API using this report's scan ID.