Clickport
Start free trial
Dashboard Engagement Tracking Session Tracking Goal Conversions Filtering & Segments Privacy First Real-Time Analytics Bot Protection vs Google Analytics vs Matomo vs Cloudflare All comparisons
For Bloggers For Publishers For Affiliates For E-commerce For SaaS For Agencies
How It Works Blog Updates Documentation UTM Builder GDPR Checker GA4 Data Loss Estimator GA Legal Status GA Problems WordPress Analytics Bot Traffic AI Traffic Ecommerce Analytics Comparisons WordPress Custom Events About Contact Status

Does your site load trackers before visitors consent?

Paste your URL. We analyze your page source, identify every tracking script, and check whether it's gated behind consent.

No signup required Results in seconds EU-hosted

What we catch

60+ trackers across 6 categories. We scan your HTML for tracking scripts, cookie headers, and data transfers to non-EU countries.

Analytics 6
Google Analytics 4
Matomo
Mixpanel
Heap
Amplitude
Adobe Analytics
Advertising 15
Meta Pixel
Google Ads
TikTok Pixel
LinkedIn Insight
Pinterest Tag
Snapchat Pixel
Twitter / X Pixel
Bing Ads / UET
Criteo
Reddit Pixel
Taboola
Outbrain
Quora Pixel
AdRoll
Amazon Ads
Session Recording 10
Hotjar
Microsoft Clarity
FullStory
Crazy Egg
Mouseflow
Lucky Orange
LogRocket
Smartlook
Inspectlet
Glassbox
Chat & Marketing 13
HubSpot
Intercom
Drift
Zendesk
Marketo
Pardot / Salesforce
ActiveCampaign
Tawk.to
Freshchat
LiveChat
Crisp
Tidio
Olark
A/B Testing & CDPs 10
Optimizely
VWO
AB Tasty
Kameleoon
Dynamic Yield
Segment
Tealium
mParticle
RudderStack
Yahoo DSP
Embeds & Utilities 8
Google Tag Manager
Google reCAPTCHA
Google Fonts (remote)
Google Maps
YouTube embeds
Vimeo embeds
Calendly
17 consent platforms

Each tracker is scored on a three-level severity scale based on what it transmits and to whom. Datacenter-IP analytics (Google Analytics, Mixpanel, Adobe) transmit visitor IPs and behavioral data to US servers and are flagged as violations if they load before consent. Advertising pixels (Meta, TikTok, Google Ads) link visitor activity to identified advertising profiles and carry the same severity. Session recording tools (Hotjar, FullStory, Microsoft Clarity) capture pageviews, mouse movements, and form input, often inadvertently picking up personal data, so they are flagged with the highest severity regardless of declared purpose.

Chat and embed tools vary. An embedded YouTube video sets cookies on first frame load (warning). A HubSpot chat widget sets persistent cookies and is treated like advertising (violation). Google Fonts loaded from fonts.googleapis.com transmits the visitor IP to Google's servers in Mountain View, which is why a German court (Munich, January 2022) awarded EUR 100 in damages against a site owner for embedding remote Google Fonts without consent. Self-hosting fonts removes the issue.

False positives are real and worth being explicit about. If your CMP has properly deferred a script (using type="text/plain" or attribute-based gating) and the script source URL still appears in the HTML, the scanner may flag it even though it does not actually load before consent. The scanner reads attributes and checks for known consent-gating patterns from 17 CMPs, but custom CMPs that manage scripts in non-standard ways can produce false positives. Verify any flagged result against your browser's DevTools Network tab. If the request does not fire on first page load, the scanner over-reported.

How the scanner works

Fetch your page source

We make a single HTTP request to your URL from our EU-based server and retrieve the raw HTML source code, just like a browser would on first load.

Parse every script tag

We extract all <script> elements (both external sources and inline code), <noscript> tracking pixels, and HTTP response headers.

Match against 60+ known trackers

Each script is matched against our database of tracker URL patterns and initialization code signatures. If Google Tag Manager is detected, we also fetch and analyze the GTM container configuration to identify which tags fire unconditionally.

Check consent gating

For each tracker found, we check whether it's properly deferred behind a consent mechanism: type="text/plain", CMP data attributes, Consent Mode v2 configuration, or other consent-gating patterns. Ungated trackers are flagged.

What the scanner does NOT do. Static analysis is fast, deterministic, and reproducible, but it has limits we should be honest about. The scanner does not simulate clicking your cookie banner, so we check whether scripts are gated, not whether they fire correctly after consent. The scanner does not execute JavaScript, so trackers loaded purely through dynamic injection (a custom loader that builds and appends script tags on the fly) are invisible. The scanner does not follow redirects or scan multiple pages: each scan covers exactly the URL you provide, and tracking on a /privacy or /checkout sub-page can differ. The scanner does not replace a legal review: severity ratings are based on published DPA decisions and the ePrivacy Directive's "strictly necessary" criterion, but whether a specific finding constitutes a violation in your jurisdiction is a question for a privacy lawyer.

The trade-off is intentional. Every visitor who hits your page sees the same source code, so what we detect on a single fetch is the same thing every visitor would receive. A dynamic browser-rendered audit would catch more edge cases but would be slower, more expensive to run, and would still miss anything that loads conditionally based on browser fingerprints or geolocation.

What the scanner checks against

Each finding maps to a specific GDPR article or ePrivacy Directive provision. The rules are the same across all 27 EU member states; enforcement varies by national DPA.

ePrivacy Directive, Article 5(3): the foundational cookie rule

"The use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent."

Any cookie, localStorage entry, or device-storage operation set by a non-essential script requires consent before the storage occurs. The EDPB's 2020 Cookie Guidelines confirm that analytics cookies do not qualify for the "strictly necessary" exemption. The scanner flags any tracker that sets storage on first page load as a violation against this article.

GDPR Article 6: lawfulness of processing

Processing of personal data is lawful only if at least one of six conditions applies: consent, contract, legal obligation, vital interests, public interest, or legitimate interests.

Even if a script does not set cookies, transmitting a visitor's IP address to a third-party server is processing of personal data. Google Analytics 4 transmits IP addresses (anonymised after the fact, but still received in their original form). The scanner flags transmission to non-EU servers as a finding because it requires both an Article 6 lawful basis AND a separate transfer mechanism under Articles 44-50.

GDPR Article 7: conditions for consent

Consent must be freely given, specific, informed, and unambiguous. The data subject must be able to withdraw consent as easily as they gave it.

A cookie banner with a giant "Accept All" button and a tiny "Manage" link does not meet "freely given" or "as easy to withdraw." Pre-ticked boxes do not meet "unambiguous." The UK ICO audited 200 top websites in January 2025 and found 67% non-compliant. The scanner does not test the visual design of your banner (that is a manual review) but does flag configurations where consent appears to be pre-set or where the CMP fires before any user interaction.

GDPR Article 25: privacy by design and default

Controllers must implement appropriate technical and organisational measures to ensure that, by default, only personal data necessary for each specific purpose is processed.

Loading 15+ trackers by default for "marketing" purposes when one analytics tool would suffice violates the data minimisation principle. The scanner counts your tracker total and flags pages with disproportionate third-party script load as a privacy-by-default issue, separate from the per-tracker findings.

GDPR Articles 44-50: transfers to third countries

Transfers of personal data to a third country (outside the EU/EEA) are permitted only if the country ensures an adequate level of data protection or specific safeguards (Standard Contractual Clauses, Binding Corporate Rules) are in place.

Transferring visitor data to US servers currently relies on the EU-US Data Privacy Framework, which is in effect but under legal challenge. The Framework has been struck down twice before (Safe Harbor 2015, Privacy Shield 2020) and faces a third challenge from NOYB. The scanner identifies trackers that transmit to US servers and flags the transfer-mechanism dependency as a risk.

The scanner does not weigh in on what your lawful basis should be (consent vs legitimate interests vs contract). That is a question your DPO or legal counsel decides for each processing activity. What the scanner does is catch the technical evidence: scripts loading before consent, transmissions to non-EU servers, missing CMP gating, and the misconfigured Consent Mode v2 setups that send pings to Google even when the user clicks "Reject."

What the scan results mean

Findings are grouped into three severity levels. Here is what each level means and what to do about it.

Violation (red): scripts that set storage or transmit personal data before consent

What it means. The script is loading on first page hit, before the visitor has had any opportunity to accept or reject. This is a clear breach of ePrivacy Article 5(3) for storage operations and likely a breach of GDPR Article 6 for personal-data transmission.

What to do. Either gate the script behind your CMP using consent-mode patterns (set the script type to text/plain until consent is given, then activate it) or remove the script if it is not essential. For analytics specifically, consider replacing the cookie-based tool with a cookieless analytics tool that does not require consent because it stores nothing on the visitor's device.

Warning (amber): legally contested or jurisdiction-dependent findings

What it means. The configuration is plausibly compliant but depends on contested legal interpretations or jurisdiction-specific rulings. Examples: Consent Mode v2 in advanced mode (sends pings to Google with the visitor IP even when consent is rejected, no DPA has ruled on this yet), Google Tag Manager loaded on first page hit (German VG Hannover ruled this requires consent in August 2025; other countries have not), embedded YouTube videos using the standard youtube.com domain instead of youtube-nocookie.com.

What to do. Review with legal counsel for your jurisdiction. Where the contested issue has a privacy-friendlier alternative (youtube-nocookie, self-hosted fonts, gated GTM), use it. Document your decision so you can defend it if a DPA inquiry arrives.

Note (blue): not flagged but a privacy-friendlier alternative exists

What it means. The current configuration is not a violation, but a more privacy-respecting option exists. Examples: a session recording tool that captures form input by default (you could configure it to mask), a heavy chat widget loading on every page (you could lazy-load it on click), an A/B testing tool active on a page that has no current experiment running.

What to do. Optional. Notes are surfaced for your awareness. If you are tightening the page for performance or compliance, address them.

A common pattern after running this scan: the site owner has a properly-installed cookie banner, but the analytics or advertising scripts are hardcoded in the HTML and fire before the banner is even shown. The banner asks for consent that the scripts have already ignored. This is the single most common cause of failed scans, and the fix is in the CMP configuration, not in the banner copy. See our full guide: Do I Need a Cookie Banner on My Website?

Frequently asked questions

How do I know if my website is GDPR compliant?

There are three layers to compliance and you have to pass all of them.

Technical layer: are your tracking scripts gated behind consent? This is what the scanner above checks. If trackers fire before the user accepts cookies, you have a finding regardless of how good your privacy policy is.

Documentation layer: do you have a privacy policy that names the data you collect, the legal basis, the retention period, the recipients, and the user's rights? Do you have a Data Processing Agreement (DPA) with each third-party processor? The scanner does not check this; you do.

Operational layer: if a visitor exercises their rights (Article 15 access, Article 17 erasure, Article 20 portability), can your team actually fulfil the request within 30 days? If a breach occurs, can you notify the relevant DPA within 72 hours? This is process and tooling, not page configuration.

The scanner gives you a green light on the first layer. The other two are your responsibility.

Does my website have to be GDPR compliant?

If anyone in the EU or EEA can access your site, yes. The GDPR's territorial scope (Article 3) applies to any controller or processor that offers goods or services to data subjects in the Union, or monitors their behaviour. There is no requirement that your business be based in the EU. A US e-commerce site that ships to Germany is in scope. A US marketing blog tracking visitor IP addresses from EU readers is in scope.

The same logic applies to most other privacy regimes that have followed: the UK GDPR (post-Brexit, near-identical rules), the Swiss FADP (similar effect), Brazil's LGPD, Quebec's Law 25, and the patchwork of US state laws (CCPA in California, plus 19+ other states with active legislation as of 2026). The technical bar is broadly the same: do not transmit personal data without a lawful basis, do not set tracking storage without consent, give users a way to access and delete their data.

How do I make my website GDPR compliant?

In rough order, from highest impact to lowest:

1. Stop loading non-essential scripts before consent. Either install a CMP that properly gates scripts (most do not by default; check your configuration) or replace cookie-based trackers with cookieless alternatives that do not need consent at all.

2. Replace third-party services that transfer data to non-EU servers when an EU-hosted equivalent exists. Self-host Google Fonts. Use an EU-hosted analytics tool. Use an EU-based email provider for transactional and marketing email.

3. Write or update your privacy policy to reflect what your site actually does. If the policy mentions tools you no longer use, or fails to mention tools you do use, the policy itself is non-compliant.

4. Sign Data Processing Agreements with every third-party that processes personal data on your behalf. Most providers have a standard DPA available on request.

5. Set up an internal process for handling data-subject access, deletion, and portability requests. The legal deadline is 30 days; you should be able to fulfil a request in less.

For most small to mid-sized sites, step 1 closes 70%+ of the actual technical risk. The scanner above is built to find what step 1 missed.

What happens if my site fails GDPR compliance?

Enforcement varies by member state and by the severity of the breach. The headline numbers (4% of global annual turnover, EUR 20 million maximum fine) are the ceiling for the worst breaches. In practice, the realistic risk profile for a typical website is:

Complaint-driven inquiry from a DPA. A visitor or competitor reports your site to your national DPA. The DPA opens an inquiry, asks you for documentation, and either issues a warning or imposes a fine. Most fines for cookie violations have been in the EUR 5,000 to 600,000 range (Kruidvat: EUR 600,000 in 2024 for tracking cookies on health pages; Coolblue: EUR 40,000 for pre-ticked consent boxes).

Civil suit by a data subject. Article 82 allows individuals to sue for material and non-material damages. The Munich court awarded EUR 100 in 2022 for an embedded Google Font transferring an IP to the US. Aggregate exposure depends on how many visitors are willing to claim.

Reputation cost. Privacy-aware customers notice. Coverage of major fines reaches consumer media. The harder-to-measure cost is trust.

The honest truth: most small sites with cookie violations are never enforced against. The risk profile is real but not uniform. The reason to fix violations is not just to avoid the fine; it is that the visitors you cannot see (the ones rejecting consent or running ad blockers) are typically the most privacy-aware ones, who are also disproportionately your most engaged audience. Loading trackers without consent is not just a legal problem; it is a measurement problem.

Methodology and limitations

This tool performs static analysis of your page's HTML source code. It detects tracking scripts, cookies, and consent mechanisms by pattern matching against a database of 60+ known trackers and 17 consent management platforms.

Static analysis catches the vast majority of real-world tracking implementations because most trackers are loaded via <script> tags or inline code that's visible in the HTML source. The evidence is deterministic and reproducible: if a tracker script exists in your HTML without consent gating, it will fire every time the page loads.

This tool does not execute JavaScript. Trackers loaded purely through custom dynamic script injection (not via GTM or standard script tags) may not be detected. For sites using complex custom loaders, results may be incomplete. When in doubt, supplement this scan with a manual check using your browser's DevTools Network tab.

Is it illegal to load analytics before consent?

Yes, under the ePrivacy Directive Article 5(3), setting non-essential cookies or accessing a user's device for tracking requires prior consent. Analytics cookies do not qualify for the "strictly necessary" exemption. Multiple EU data protection authorities (Austria, France, Italy) have issued formal orders against websites loading Google Analytics without valid consent.

What about Google Consent Mode v2?

Consent Mode v2 in "advanced" mode still sends cookieless pings to Google including the visitor's IP address and page URL, even when consent is denied. No data protection authority has ruled on this yet, which is why we flag it as a warning rather than a violation. The legal status is genuinely contested.

Does Google Tag Manager require consent?

Loading GTM transmits the visitor's IP address to Google servers regardless of which tags fire inside the container. In August 2025, a German court (VG Hannover) ruled that this requires consent under German telecom privacy law (TTDSG). In other EU countries, this is a warning rather than a clear violation.

Why is my site failing? I have a cookie banner.

Having a cookie banner is not the same as properly gating your scripts behind it. Many sites install a consent banner but leave their tracking scripts hardcoded in the HTML, meaning the trackers fire immediately on page load regardless of what the visitor clicks. To fix this, your scripts need to be deferred (e.g., with type="text/plain") and only activated after consent is granted through your CMP. See our full guide: Do I Need a Cookie Banner on My Website?

What does this tool NOT detect?

This tool analyzes your HTML source statically. It does not detect trackers that are loaded exclusively through custom JavaScript bundles with no static script tags. It also does not execute JavaScript, so it cannot observe runtime cookie behavior. For most websites, static analysis catches 90%+ of tracking implementations. If your site uses a custom dynamic loader, supplement this check with your browser's DevTools.

Is this tool free?

Yes, completely free. No signup, no email required. We built this tool because we believe every website owner should be able to check their compliance without paying for an enterprise audit. Clickport is a cookieless analytics platform that does not require a consent banner. This checker is our way of showing what that difference looks like in practice.

This is a technical scan that analyzes your page's HTML source for tracking scripts loaded without consent gating. Severity ratings are based on published DPA decisions. Whether a specific finding constitutes a violation for your jurisdiction requires legal review.