Polaris Audit

Case #004 · 22 Apr 2026 · 6 min read

How to Test If Your Cookie Banner Is GDPR Compliant

The green light in your CMP dashboard is not proof of compliance. Stop looking at the UI and start looking at the network.

TL;DR

  • Visual inspection is useless; trackers fire invisibly behind the banner UI
  • The "Hard Reload" test is the only way to catch race conditions and early firing
  • Check the Network tab for collect (GA4), tr (Meta), and activity (TikTok) calls before any click
  • Compliance isn't a one-time setup; new marketing tags often bypass old consent rules

Verdict

Compliance is a binary network state: either the request left the browser before consent, or it didn’t. If you can’t verify this for every major tracker on your site, you are currently operating on hope, not evidence.

The Dashboard Illusion

Most CMP dashboards (Cookiebot, OneTrust, Axeptio) show you “Compliance Status: OK.” This usually just means your monthly scan finished and your banner is visible. It does not mean your GTM triggers are correctly wired or that a race condition isn’t firing your Meta Pixel 200ms before the banner appears.

Regulators don’t check your dashboard. They check the requests hitting third-party servers from a clean-session browser load.

The Manual Verification Protocol

To test a banner manually, you must simulate a first-time visitor with zero cached data.

  1. Open a new Incognito/Private window.
  2. Open DevTools > Network tab.
  3. Check “Disable Cache.”
  4. Filter by the tracker domain (e.g., google-analytics.com or facebook.com).
  5. Load the URL.

If anything appears in that list beforeyou touch the “Accept” button, the banner has failed.

Your site is leaking data before consent.

Free headless-browser scan. Catches GA4, Meta Pixel, TikTok and more firing before the click. Results in 10 seconds.

Run a free scan

Identifying the “Big Three” Leaks

Different trackers use different request patterns. You need to know what “leakage” looks like in the network trace:

  • GA4: Look for /collect requests. If the en (event name) is page_view before consent, you’re leaking.
  • Meta Pixel: Look for tr?id=. This is the signal that user data is being sent to Meta’s servers.
  • Hotjar/Clarity: Look for websocket connections or large POST requests to their respective domains immediately on load.

Why Manual Testing Fails at Scale

A manual audit takes 5 minutes per page. If you have a site with a blog, a checkout, and multiple landing pages, a full audit is hours of repetitive work. Worse, it only captures a single moment in time. The moment a marketing intern adds a “New Lead” event to GTM without a consent trigger, your manual audit is obsolete.

Automated Forensics

This is why we built the Polaris scanner. It automates the manual protocol: launching a headless browser, loading the page, intercepting every network request, and classifying them against GDPR definitions. It catches the race conditions that human eyes miss and the GTM triggers that were never set up.

Run a free scan

Further Reading

← All posts