# Why CMP Compliance Audit Exists

Scans a page for consent-management-platform (Cookiebot, OneTrust, CookieYes, Osano, Termly, iubenda, Didomi, TrustArc). Checks IAB TCF v2.2, CCPA opt-out li...

Author: J.A. Watte
Published: April 23, 2026
Source: https://jwatte.com/blog/blog-tool-cmp-compliance-audit/

---

**TL;DR.** CCPA and GDPR require consent before loading trackers. Symmetric Accept/Reject buttons are mandatory in EU; France's CNIL has issued €200M+ in cookie-related fines since 2022.

The **[CMP Compliance Audit](/tools/cmp-compliance-audit/)** is the audit you reach for when you already suspect a problem in this dimension and need a fast, copy-paste-able fix list. It reuses the same chrome as every other jwatte.com tool — deep-links from the mega analyzers, AI-prompt export, CSV/PDF/HTML download — but the checks it runs are narrow and specific to the dimension described above.

> Scans a page for consent-management-platform (CMP) implementations (Cookiebot, OneTrust, CookieYes, Osano, Termly, iubenda, Complianz, Borlabs, Didomi), checks IAB TCF v2.2 signaling, CCPA opt-out link presence, and Global Privacy Control (GPC) handling.

## Why this dimension matters

Both California CCPA/CPRA and EU GDPR require consent before loading trackers. A CMP that fires analytics before the user clicks "Accept" is technically non-compliant regardless of how the banner looks. Enforcement has tightened since 2023 — France's CNIL alone has issued €200M+ in cookie-related fines.

## Common failure patterns

- **GA4 firing before consent** — the audit checks whether `_ga` cookies are set on first load (i.e., before any user interaction with the CMP). If yes, that's a GDPR violation regardless of CMP presence.
- **"Reject All" takes more clicks than "Accept All"** — CNIL's 2022 guidance (now enforced across EU members) requires symmetric friction. A one-click Accept + two-click Reject is a fine waiting to happen.
- **Legitimate interest for cross-site advertising** — the IAB TCF 2.0 "legitimate interest" toggle for advertising vendors has been ruled non-compliant by multiple EU DPAs. Switch to consent-only for advertising vendors.
- **Shadow trackers via `<img>` pixels or `<script>` in customer templates** — Google Tag Manager can load trackers that your CMP has no visibility into. Audit the live network request list, not just what the CMP reports it loaded.

## How to fix it at the source

Wire consent-mode v2 into GA4 / GTM so analytics runs in a denied-consent state before the user clicks. Use a CMP with symmetric Accept/Reject buttons and document the flow for a data-protection audit. Publish a standards-compliant /privacy, /cookies, /terms page — and /accessibility for ADA Title III coverage.

## Example fix

_Google Consent Mode v2 default-denied (put before GA4 snippet):_

```javascript
window.dataLayer = window.dataLayer || [];
function gtag() { dataLayer.push(arguments); }

// Default to denied — analytics runs in consent-denied mode until user opts in
gtag('consent', 'default', {
  ad_storage: 'denied',
  ad_user_data: 'denied',
  ad_personalization: 'denied',
  analytics_storage: 'denied',
  functionality_storage: 'granted',
  security_storage: 'granted',
  wait_for_update: 500
});

// After the user clicks Accept in your CMP:
// gtag('consent', 'update', { analytics_storage: 'granted', ad_storage: 'granted', … });
```

## When to run the audit

- After a major site change — redesign, CMS migration, DNS change, hosting platform swap.
- Quarterly as part of routine technical hygiene; the checks are cheap to run repeatedly.
- Before an investor / client review, a PCI scan, a SOC 2 audit, or an accessibility-compliance review.
- When a downstream metric drops (rankings, conversion, AI citations) and you need to rule out this dimension as the cause.

## Reading the output

Every finding is severity-classified. The playbook is the same across tools:

- **Critical / red** — same-week fixes. These block the primary signal and cascade into downstream dimensions.
- **Warning / amber** — same-month fixes. Drag the score, usually don't block.
- **Info / blue** — context only. Often what a PR reviewer would flag but that doesn't block merge.
- **Pass / green** — confirmation. Keep the control in place.

Every audit also emits an "AI fix prompt" — paste into ChatGPT / Claude / Gemini for exact copy-paste code patches tied to your specific stack.

## Related tools in this family

- **[Cookie + Storage Drift Audit](/tools/cookie-storage-drift-audit/)** — tracks which cookies / localStorage / IndexedDB entries show up when.
- **[Legal Pages Audit](/tools/legal-pages-audit/)** — verifies /privacy, /terms, /cookies, /accessibility exist and link correctly.
- **[GA4 / GTM Configuration Audit](/tools/ga4-gtm-config-audit/)** — checks Consent Mode v2 wiring in your specific GA4 + GTM setup.
- **[Third-Party Script Cost Audit](/tools/third-party-script-cost/)** — identifies the heaviest 3P scripts — often the same vendors with consent issues.

## Fact-check notes and sources

- EU: [General Data Protection Regulation (GDPR)](https://gdpr-info.eu/)
- California: [CCPA + CPRA official summary](https://oag.ca.gov/privacy/ccpa)
- CNIL: [2022 Cookie banner guidelines](https://www.cnil.fr/en/cookies-and-other-trackers)
- Google: [Consent Mode v2](https://developers.google.com/tag-platform/security/guides/consent)

*This post is informational and not a substitute for professional consulting. Mentions of third-party platforms in the tool itself are nominative fair use. No affiliation is implied.*


---

Canonical HTML: https://jwatte.com/blog/blog-tool-cmp-compliance-audit/
RSS: https://jwatte.com/feed.xml
JSON Feed: https://jwatte.com/feed.json
Hero image: https://jwatte.com/images/blog-tool-cmp-compliance-audit.webp