Start where regulators start: before consent
GDPR, read with the ePrivacy rules, requires freely given, specific, informed and unambiguous prior consent before non-essential cookies and trackers run. The word that matters is prior. Most enforcement is not about a missing banner. It is about trackers that already fired by the time the banner appeared. So the first check is simple. Load your homepage as if you had never visited, and see what runs before you click anything.
The five checks that catch most problems
- Nothing non-essential fires before consent. No analytics, advertising or social tags, and no non-essential cookies, until the visitor opts in. This is the single biggest driver of fines.
- Reject is as easy as Accept. An Accept-only banner, or a Reject that is hidden a layer deeper, is not valid consent. Both choices belong on the first screen with equal weight.
- Categories are granular. Visitors can choose analytics without being forced to accept advertising. Nothing is pre-ticked.
- You can prove consent. You can show, per visitor, what was agreed and when. A screenshot of a banner is not proof.
- Withdrawal is always available. Changing your mind is as easy as giving consent, through a persistent control.
Do it in seconds
You do not have to read network logs by hand. The free GDPR compliance scanner loads your public pages, lists the cookies and trackers that fire before consent, and maps each finding to a GDPR obligation as pass, fail or needs review. For a full inventory of every tracker and third party on the page, the cookie scanner gives you the raw list and a plain-English risk score.
A scan is a starting point, not a legal sign-off
A scan reliably catches the technical gaps, especially trackers firing before consent. It cannot read your internal processes, your data processing agreements or your retention policy. Treat the result as a prioritized to-do list, then close the gaps and keep the evidence.
How ConsentX closes the gaps
ConsentX uses prior-script blocking to hold every non-essential tag until the visitor consents, gives equal-weight Allow and Reject controls, records a tamper-evident receipt with the policy version and hash for every consent, and ships a DSAR workflow with a 30-day timer. See the GDPR compliance page for how each obligation is handled, or start free.