The CMP Compliance Audit is the audit you reach for when you already suspect a problem in this dimension and need a fast, copy-paste-able fix list. It reuses the same chrome as every other jwatte.com tool — deep-links from the mega analyzers, AI-prompt export, CSV/PDF/HTML download — but the checks it runs are narrow and specific.
Scans a page for consent-management-platform (CMP) implementations (Cookiebot, OneTrust, CookieYes, Osano, Termly, iubenda, Complianz, Borlabs, Didomi), checks IAB TCF v2.2 signaling, CCPA opt-out link presence, and Global Privacy Control (GPC) handling.
Why this dimension matters
Both California CCPA/CPRA and EU GDPR require consent before loading trackers. A CMP that fires analytics before the user clicks "Accept" is technically non-compliant regardless of how the banner looks. Enforcement has tightened since 2023 — France's CNIL alone has issued €200M+ in cookie-related fines.
Common failure patterns
- GA4 firing before consent — the audit checks whether
_gacookies are set on first load (i.e., before any user interaction with the CMP). If yes, that's a GDPR violation regardless of CMP presence. - "Reject All" takes more clicks than "Accept All" — CNIL's 2022 guidance (now enforced across EU members) requires symmetric friction. A one-click Accept + two-click Reject is a fine waiting to happen.
- Legitimate interest for cross-site advertising — the IAB TCF 2.0 "legitimate interest" toggle for advertising vendors has been ruled non-compliant by multiple EU DPAs. Switch to consent-only for advertising vendors.
- Shadow trackers via
<img>pixels or<script>in customer templates — Google Tag Manager can load trackers that your CMP has no visibility into. Audit the live network request list, not just what the CMP reports it loaded.
How to fix it at the source
Wire consent-mode v2 into GA4 / GTM so analytics runs in a denied-consent state before the user clicks. Use a CMP with symmetric Accept/Reject buttons and document the flow for a data-protection audit. Publish a standards-compliant /privacy, /cookies, /terms page — and /accessibility for ADA Title III coverage.
When to run the audit
- After a major site change — redesign, CMS migration, DNS change, hosting platform swap.
- Quarterly as part of routine technical hygiene; the checks are cheap to run repeatedly.
- Before an investor / client review, a PCI scan, a SOC 2 audit, or an accessibility-compliance review.
- When a downstream metric drops (rankings, conversion, AI citations) and you need to rule out this dimension as the cause.
Reading the output
Every finding is severity-classified. The playbook is the same across tools:
- Critical / red: same-week fixes. These block the primary signal and cascade into downstream dimensions.
- Warning / amber: same-month fixes. Drag the score, usually don't block.
- Info / blue: context-only. Often what a PR reviewer would flag but that doesn't block merge.
- Pass / green: confirmation — keep the control in place.
Every audit also emits an "AI fix prompt" — paste into ChatGPT / Claude / Gemini for exact copy-paste code patches tied to your stack.
Related tools
- Cookie + Storage Drift Audit — Flags pre-consent trackers, document.cookie writes, and localStorage writes in initial HTML — the typical GDPR / ePrivacy failure modes..
- Legal Pages Audit — Probes a site for Privacy Policy, Terms of Service, Accessibility Statement, Cookie Policy, Disclaimer, Refund Policy, DMCA agent, and DPA.
- GA4 / GTM Configuration Audit — Detects Google Analytics 4 + Google Tag Manager on a page.
- Third-Party Script Cost Audit — Enumerates every external script on a page, estimates transfer size + main-thread cost, ranks by impact.
Fact-check notes and sources
- EU: General Data Protection Regulation (GDPR)
- California: CCPA + CPRA official summary
- CNIL: 2022 Cookie banner guidelines
- Google: Consent Mode v2
This post is informational and not a substitute for professional consulting. Mentions of third-party platforms in the tool itself are nominative fair use. No affiliation is implied.
