The compliance audit stack — CMP, GA4/GTM config, cookie drift, AI disclosure, CCPA/GDPR

Paying $99 a month for OneTrust or Cookiebot gives you a banner. It doesn't check whether the banner actually blocks Microsoft Clarity before the user clicks accept. These six tools do.

1. CMP Compliance Audit

Scans the page for 12 consent-management platforms (Cookiebot, OneTrust, CookieYes, Osano, Termly, iubenda, Complianz, Borlabs, Didomi, Quantcast, TrustArc, and site-native banners), checks for IAB TCF v2.2 __tcfapi global, detects CCPA "Do Not Sell" link text, and verifies Global Privacy Control (GPC) handling.

The tool surfaces the #1 silent compliance failure: having a CMP but not running it in blocking mode. The banner is decorative. Analytics fires anyway.

2. GA4 / GTM Configuration Audit

Detects GA4 + GTM IDs on the page, checks for Consent Mode v2 default call (required for EEA users since March 2024), IP anonymization flag, gtm_auth / gtm_preview leakage (indicates unpublished container), anonymize_ip flag, and duplicate measurement IDs.

Google Ads + GA4 silently shrink ad remarketing audiences when Consent Mode v2 isn't wired. The audit catches this — no error in the browser, just slowly degrading performance.

3. Cookie + Storage Drift Audit

Most CMPs only block cookies. They miss localStorage and sessionStorage writes — which regulators (ICO, CNIL) treat as equivalent under ePrivacy.

The audit detects 15 known pre-consent trackers (GA, GTM, Facebook Pixel, LinkedIn, Clarity, Hotjar, FullStory, Mixpanel, Segment, HubSpot, Intercom, Drift, Amplitude, Pendo, Rudderstack), counts inline document.cookie writes, localStorage writes, sessionStorage writes, and flags the pattern "scripts load but no CMP detected" — a straight GDPR violation for EEA visitors.

4. AI Content Disclosure Audit

EU AI Act Article 50 (effective August 2026) requires visible disclosure of synthetic content. FTC endorsement guidance already does for US.

The audit checks: visible "AI-generated" or "AI-assisted" text in the page body, schema.org creativeWorkStatus with "generated" / "drafted", author.@type: SoftwareApplication markers, C2PA Content Credentials references, and presence of an /ai-policy or /editorial-policy page.

5. Legal Pages Audit

Existing tool. Checks for privacy, terms, cookies, disclaimer pages; validates each has the required elements (contact info, data retention, third-party list, etc). Companion to the Legal Pages Generator.

6. ADA Litigation Risk

Existing tool. Scores ADA Title III lawsuit exposure for the site. ADA website-accessibility lawsuits hit over 4,000 businesses annually in the US; the risk score identifies the top issues most likely to trigger a lawsuit + the demand-letter cost if one lands.

What a real "compliant CMP" looks like after this audit round

1. CMP in blocking mode (not just banner mode). Non-essential scripts do NOT load until consent granted.
2. Consent Mode v2 wired. GA4 + Google Ads adjust for consent state vs silently dropping data.
3. GPC header honored. navigator.globalPrivacyControl === true = auto-opt-out for CCPA-equivalent states.
4. CCPA "Do Not Sell or Share My Personal Information" link in footer.
5. IAB TCF v2.2 signals present if running programmatic ad-tech.
6. Privacy Policy cookie table matches actual cookies observed. Monthly CMP scanner run.
7. For AI-assisted content: visible disclosure + schema.org markers + published AI-use policy page.

The 6-point compliance checklist

1. Run the CMP Compliance Audit. If no CMP or banner-mode-only, fix first.
2. Run the GA4 / GTM Config Audit. Wire Consent Mode v2.
3. Run the Cookie + Storage Drift Audit. Block pre-consent writes including localStorage.
4. Run the Legal Pages Audit. Confirm privacy, terms, cookie policy coverage.
5. Run the ADA Litigation Risk. Prioritize fixes by lawsuit exposure.
6. Run the AI Content Disclosure Audit if you publish AI-assisted content. Required in EU from August 2026.

Related reading

• Mega SEO Analyzer v2 — compliance dimension rolls up many of these
• Legal Pages Generator walkthrough — templates for privacy / terms / cookies
• WCAG Accessibility Audit — ADA-adjacent
• Lighthouse fixes story — CSP tightening

Fact-check notes and sources

• GDPR Articles 5-7 (consent, data minimization): EUR-Lex GDPR Regulation 2016/679.
• ePrivacy Directive Article 5(3) (cookies and equivalent storage): EUR-Lex 2002/58/EC.
• CCPA / CPRA: California Privacy Rights Act.
• Google Consent Mode v2 requirements: Google Ads Help consent-mode.
• IAB TCF v2.2 spec: iabeurope.eu/tcf.
• Global Privacy Control spec: globalprivacycontrol.org.
• EU AI Act Article 50: EUR-Lex Regulation 2024/1689 Art 50.
• ADA Title III lawsuit trends 2024: Seyfarth Shaw annual ADA report.

This post is informational, not legal, privacy, or compliance advice. Mentions of OneTrust, Cookiebot, CookieYes, Osano, Termly, iubenda, Complianz, Borlabs, Didomi, Quantcast, TrustArc, Google, Microsoft, Facebook, LinkedIn, Hotjar, FullStory, Mixpanel, Segment, HubSpot, Intercom, Drift, Amplitude, Pendo, Rudderstack, Seyfarth Shaw, and similar products / firms are nominative fair use. No affiliation is implied. Consult a qualified attorney or privacy officer for jurisdiction-specific compliance decisions.