Clickport
Start free trial
Dashboard Engagement Tracking Goal Conversions Privacy First vs Google Analytics vs Matomo
For Bloggers For Affiliates For E-commerce For SaaS For Agencies
How It Works Blog Documentation GDPR Checker Updates WordPress Custom Events About Contact Status

Does your site load trackers before visitors consent?

Paste your URL. We analyze your page source, identify every tracking script, and check whether it's gated behind consent.

No signup required Results in seconds EU-hosted

What we check

Tracking scripts

We parse every <script> tag in your HTML and match it against 20+ known trackers including GA4, Facebook Pixel, Hotjar, Clarity, TikTok, and more.

Cookie headers

We inspect HTTP Set-Cookie response headers for known tracking cookies. These fire before any JavaScript consent logic can execute.

Data transfers

We flag trackers that send data to the US or other non-EU countries, and note whether the vendor is covered by the EU-US Data Privacy Framework.

How the scanner works

Fetch your page source

We make a single HTTP request to your URL from our EU-based server and retrieve the raw HTML source code, just like a browser would on first load.

Parse every script tag

We extract all <script> elements (both external sources and inline code), <noscript> tracking pixels, and HTTP response headers.

Match against 20+ known trackers

Each script is matched against our database of tracker URL patterns and initialization code signatures. If Google Tag Manager is detected, we also fetch and analyze the GTM container configuration to identify which tags fire unconditionally.

Check consent gating

For each tracker found, we check whether it's properly deferred behind a consent mechanism: type="text/plain", CMP data attributes, Consent Mode v2 configuration, or other consent-gating patterns. Ungated trackers are flagged.

Methodology and limitations

This tool performs static analysis of your page's HTML source code. It detects tracking scripts, cookies, and consent mechanisms by pattern matching against a database of 20+ known trackers and 17 consent management platforms.

Static analysis catches the vast majority of real-world tracking implementations because most trackers are loaded via <script> tags or inline code that's visible in the HTML source. The evidence is deterministic and reproducible: if a tracker script exists in your HTML without consent gating, it will fire every time the page loads.

This tool does not execute JavaScript. Trackers loaded purely through custom dynamic script injection (not via GTM or standard script tags) may not be detected. For sites using complex custom loaders, results may be incomplete. When in doubt, supplement this scan with a manual check using your browser's DevTools Network tab.

Frequently asked questions

Is it illegal to load analytics before consent?

Yes, under the ePrivacy Directive Article 5(3), setting non-essential cookies or accessing a user's device for tracking requires prior consent. Analytics cookies do not qualify for the "strictly necessary" exemption. Multiple EU data protection authorities (Austria, France, Italy) have issued formal orders against websites loading Google Analytics without valid consent.

What about Google Consent Mode v2?

Consent Mode v2 in "advanced" mode still sends cookieless pings to Google including the visitor's IP address and page URL, even when consent is denied. No data protection authority has ruled on this yet, which is why we flag it as a warning rather than a violation. The legal status is genuinely contested.

Does Google Tag Manager require consent?

Loading GTM transmits the visitor's IP address to Google servers regardless of which tags fire inside the container. In August 2025, a German court (VG Hannover) ruled that this requires consent under German telecom privacy law (TTDSG). In other EU countries, this is a warning rather than a clear violation.

Why is my site failing? I have a cookie banner.

Having a cookie banner is not the same as properly gating your scripts behind it. Many sites install a consent banner but leave their tracking scripts hardcoded in the HTML, meaning the trackers fire immediately on page load regardless of what the visitor clicks. To fix this, your scripts need to be deferred (e.g., with type="text/plain") and only activated after consent is granted through your CMP.

What does this tool NOT detect?

This tool analyzes your HTML source statically. It does not detect trackers that are loaded exclusively through custom JavaScript bundles with no static script tags. It also does not execute JavaScript, so it cannot observe runtime cookie behavior. For most websites, static analysis catches 90%+ of tracking implementations. If your site uses a custom dynamic loader, supplement this check with your browser's DevTools.

Is this tool free?

Yes, completely free. No signup, no email required. We built this tool because we believe every website owner should be able to check their compliance without paying for an enterprise audit. Clickport is a cookieless analytics platform that does not require a consent banner. This checker is our way of showing what that difference looks like in practice.

This is a technical scan that analyzes your page's HTML source for tracking scripts loaded without consent gating. Severity ratings are based on published DPA decisions. Whether a specific finding constitutes a violation for your jurisdiction requires legal review.