# The compliance audit stack — CMP, GA4/GTM config, cookie drift, AI disclosure, CCPA/GDPR

Six tools that check what a CMP audit actually checks — consent mode, blocking-mode enforcement, pre-consent cookie writes, IAB TCF v2.2 signaling, Global Privacy Control handling, and EU AI Act Article 50 readiness.

Author: J.A. Watte
Published: April 22, 2026
Source: https://jwatte.com/blog/blog-new-compliance-audit-tools-2026/

---

Paying $99 a month for OneTrust or Cookiebot gives you a banner. It doesn't check whether the banner actually blocks Microsoft Clarity before the user clicks accept. These six tools do.

## 1. [CMP Compliance Audit](/tools/cmp-compliance-audit/)

Scans the page for 12 consent-management platforms (Cookiebot, OneTrust, CookieYes, Osano, Termly, iubenda, Complianz, Borlabs, Didomi, Quantcast, TrustArc, and site-native banners), checks for IAB TCF v2.2 `__tcfapi` global, detects CCPA "Do Not Sell" link text, and verifies Global Privacy Control (GPC) handling.

The tool surfaces the #1 silent compliance failure: **having a CMP but not running it in blocking mode**. The banner is decorative. Analytics fires anyway.

## 2. [GA4 / GTM Configuration Audit](/tools/ga4-gtm-config-audit/)

Detects GA4 + GTM IDs on the page, checks for Consent Mode v2 default call (required for EEA users since March 2024), IP anonymization flag, `gtm_auth` / `gtm_preview` leakage (indicates unpublished container), `anonymize_ip` flag, and duplicate measurement IDs.

Google Ads + GA4 silently shrink ad remarketing audiences when Consent Mode v2 isn't wired. The audit catches this — no error in the browser, just slowly degrading performance.

## 3. [Cookie + Storage Drift Audit](/tools/cookie-storage-drift-audit/)

Most CMPs only block cookies. They miss `localStorage` and `sessionStorage` writes — which regulators (ICO, CNIL) treat as equivalent under ePrivacy.

The audit detects 15 known pre-consent trackers (GA, GTM, Facebook Pixel, LinkedIn, Clarity, Hotjar, FullStory, Mixpanel, Segment, HubSpot, Intercom, Drift, Amplitude, Pendo, Rudderstack), counts inline `document.cookie` writes, `localStorage` writes, `sessionStorage` writes, and flags the pattern "scripts load but no CMP detected" — a straight GDPR violation for EEA visitors.

## 4. [AI Content Disclosure Audit](/tools/ai-content-disclosure-audit/)

EU AI Act Article 50 (effective August 2026) requires visible disclosure of synthetic content. FTC endorsement guidance already does for US.

The audit checks: visible "AI-generated" or "AI-assisted" text in the page body, schema.org `creativeWorkStatus` with `"generated"` / `"drafted"`, `author.@type: SoftwareApplication` markers, C2PA Content Credentials references, and presence of an `/ai-policy` or `/editorial-policy` page.

## 5. [Legal Pages Audit](/tools/legal-pages-audit/)

Existing tool. Checks for privacy, terms, cookies, disclaimer pages; validates each has the required elements (contact info, data retention, third-party list, etc). Companion to the [Legal Pages Generator](/tools/legal-pages-generator/).

## 6. [ADA Litigation Risk](/tools/ada-litigation-risk/)

Existing tool. Scores ADA Title III lawsuit exposure for the site. ADA website-accessibility lawsuits hit over 4,000 businesses annually in the US; the risk score identifies the top issues most likely to trigger a lawsuit + the demand-letter cost if one lands.

## What a real "compliant CMP" looks like after this audit round

1. CMP in **blocking mode** (not just banner mode). Non-essential scripts do NOT load until consent granted.
2. [Consent Mode v2](/tools/ga4-gtm-config-audit/) wired. GA4 + Google Ads adjust for consent state vs silently dropping data.
3. GPC header honored. `navigator.globalPrivacyControl === true` = auto-opt-out for CCPA-equivalent states.
4. CCPA "Do Not Sell or Share My Personal Information" link in footer.
5. IAB TCF v2.2 signals present if running programmatic ad-tech.
6. Privacy Policy cookie table matches actual cookies observed. Monthly CMP scanner run.
7. For AI-assisted content: visible disclosure + schema.org markers + published AI-use policy page.

## The 6-point compliance checklist

1. Run the [CMP Compliance Audit](/tools/cmp-compliance-audit/). If no CMP or banner-mode-only, fix first.
2. Run the [GA4 / GTM Config Audit](/tools/ga4-gtm-config-audit/). Wire Consent Mode v2.
3. Run the [Cookie + Storage Drift Audit](/tools/cookie-storage-drift-audit/). Block pre-consent writes including localStorage.
4. Run the [Legal Pages Audit](/tools/legal-pages-audit/). Confirm privacy, terms, cookie policy coverage.
5. Run the [ADA Litigation Risk](/tools/ada-litigation-risk/). Prioritize fixes by lawsuit exposure.
6. Run the [AI Content Disclosure Audit](/tools/ai-content-disclosure-audit/) if you publish AI-assisted content. Required in EU from August 2026.

## Related reading

- [Mega SEO Analyzer v2](/blog/blog-mega-seo-analyzer-v2-paid-tool-parity/) — compliance dimension rolls up many of these
- [Legal Pages Generator walkthrough](/blog/blog-tool-legal-pages/) — templates for privacy / terms / cookies
- [WCAG Accessibility Audit](/blog/blog-why-the-wcag-audit-exists/) — ADA-adjacent
- [Lighthouse fixes story](/blog/blog-lighthouse-taught-me-five-new-tools/) — CSP tightening

## Fact-check notes and sources

- **GDPR Articles 5-7 (consent, data minimization):** [EUR-Lex GDPR Regulation 2016/679](https://eur-lex.europa.eu/eli/reg/2016/679/oj).
- **ePrivacy Directive Article 5(3) (cookies and equivalent storage):** [EUR-Lex 2002/58/EC](https://eur-lex.europa.eu/eli/dir/2002/58/oj).
- **CCPA / CPRA:** [California Privacy Rights Act](https://oag.ca.gov/privacy/ccpa).
- **Google Consent Mode v2 requirements:** [Google Ads Help consent-mode](https://support.google.com/google-ads/answer/10000067).
- **IAB TCF v2.2 spec:** [iabeurope.eu/tcf](https://iabeurope.eu/transparency-consent-framework/).
- **Global Privacy Control spec:** [globalprivacycontrol.org](https://globalprivacycontrol.org/).
- **EU AI Act Article 50:** [EUR-Lex Regulation 2024/1689 Art 50](https://eur-lex.europa.eu/eli/reg/2024/1689/oj).
- **ADA Title III lawsuit trends 2024:** Seyfarth Shaw annual ADA report.

_This post is informational, not legal, privacy, or compliance advice. Mentions of OneTrust, Cookiebot, CookieYes, Osano, Termly, iubenda, Complianz, Borlabs, Didomi, Quantcast, TrustArc, Google, Microsoft, Facebook, LinkedIn, Hotjar, FullStory, Mixpanel, Segment, HubSpot, Intercom, Drift, Amplitude, Pendo, Rudderstack, Seyfarth Shaw, and similar products / firms are nominative fair use. No affiliation is implied. Consult a qualified attorney or privacy officer for jurisdiction-specific compliance decisions._


---

Canonical HTML: https://jwatte.com/blog/blog-new-compliance-audit-tools-2026/
RSS: https://jwatte.com/feed.xml
JSON Feed: https://jwatte.com/feed.json
Hero image: https://jwatte.com/images/blog-new-compliance-audit-tools-2026.webp