Glossary

Common terms used in cookie consent, GDPR compliance, and ConsentScout scan results. Something missing? Let us know →

Advanced mode: A Google Consent Mode configuration in which Google tags (GA4, Ads) load and send cookieless "ping" requests before consent is given, rather than being blocked entirely. The tags observe consent state and upgrade to full data collection once a user accepts. ConsentScout detects Advanced mode via the gcd URL parameter and the google_tag_data.ics object. Compare: Basic mode.
Analytics cookies: Cookies that collect information about how visitors use a site — page views, session duration, traffic sources, and similar behavioural data. Under GDPR and the ePrivacy Directive, analytics cookies are classified as non-required and must not be set before a user gives consent.

Banner: The consent notice shown to visitors on first arrival. Also called a cookie notice, consent pop-up, or CMP widget. A legally compliant banner must appear before non-required cookies are set, offer a genuine choice, and record the outcome. ConsentScout detects banners by inspecting the DOM for known CMP elements and consent-related text patterns.
Basic mode: A Google Consent Mode configuration in which Google tags are blocked entirely until a user grants consent. No network requests or cookieless pings are sent before consent. ConsentScout detects Basic mode via inline script calls to gtag('consent', 'default', …) when no Advanced mode signals (gcd parameter or google_tag_data.ics) are present. Compare: Advanced mode.

CMP: Consent Management Platform. Software installed on a website to collect, record, and signal user consent choices before cookies or tracking scripts are activated. Well-known CMPs include OneTrust, Cookiebot, Didomi, CookieYes, TrustArc, and Civic Cookie Control. ConsentScout identifies CMPs using script sources, network requests, JavaScript globals, and DOM fingerprints.
Consent string: A compact encoded string — defined by the IAB TCF standard — that represents a user's consent decisions for each advertising purpose and vendor. It is stored in a browser cookie (typically euconsent-v2) and transmitted to ad-tech vendors so they know which processing is permitted.
Cookie: A small text file that a website instructs a browser to store. Cookies are used for session management, user preferences, analytics, and advertising. Under the ePrivacy Directive, setting non-essential cookies without prior informed consent is unlawful in the EU and UK.

dataLayer: A JavaScript array used by Google Tag Manager to pass structured data to tags. Google Consent Mode defaults are typically initialised via a dataLayer.push() call before GTM loads, which ConsentScout reads as evidence of consent configuration.

ePrivacy Directive: EU law (2002, amended 2009) that requires websites to obtain informed consent before storing or accessing non-essential information on a user's device — including cookies. Often called the "cookie law." It operates alongside GDPR: GDPR governs what happens to personal data once collected; ePrivacy governs the act of collection itself.
Error: A ConsentScout verdict indicating the page failed to load. Common causes include DNS failures, TCP timeouts, HTTP 4xx/5xx responses, or bot-protection blocks. Error scans are excluded from Pass/Warn/Fail statistics in research reports.

Fail: A ConsentScout verdict indicating that one or more non-required cookies (analytics, marketing, personalisation) were set before any user interaction — i.e., before consent was given. This is the clearest indicator of a pre-consent tracking violation.
First-party cookie: A cookie set by the same domain the user is visiting. Generally used for session management and preferences. Some analytics tools (e.g. GA4 in certain configurations) use first-party cookies, which are still subject to consent requirements if they collect personal data.
Functional cookies: Cookies strictly necessary for a site to deliver its core service — for example, session tokens, shopping cart state, or security tokens. These are classified as "required" and are exempt from consent requirements under the ePrivacy Directive. Also called "strictly necessary" cookies.

gcd parameter: A URL query parameter appended by Google tags (GA4, Google Ads) when Google Consent Mode is active. It encodes the current consent state as a compact string. Its presence in network requests is one of ConsentScout's strongest signals for Google Consent Mode Advanced mode operation.
GDPR: General Data Protection Regulation. EU law (effective May 2018, retained in UK law post-Brexit as UK GDPR) that governs the processing of personal data. Requires a lawful basis — which for tracking cookies is typically informed, freely given, specific, and unambiguous consent — before personal data may be collected. Enforced by national data protection authorities (in the UK: the ICO).
Google Consent Mode: A framework from Google allowing tags (GA4, Google Ads, Floodlight) to adapt their behaviour based on user consent status. When consent is denied, tags can operate in a reduced state — sending anonymous, cookieless pings (Advanced mode) or not firing at all (Basic mode). Requires explicit configuration on the site; it does not activate automatically.

HAR file: HTTP Archive. A JSON-format log of every network request the browser made during a scan — URLs, headers, status codes, timings, and response sizes. Useful for in-depth audits, as evidence in compliance investigations, or for debugging which scripts are firing and when. HAR export is available to Pro plan users on ConsentScout.
Headless browser: A web browser running without a visible user interface, controlled by code rather than a human. ConsentScout uses headless Chromium (via Playwright) with a Windows desktop user-agent and en-GB locale to load pages in a clean state — no prior cookies, no cached storage, no consent history — exactly as a first-time visitor would experience the site.

IAB / IAB Europe: Interactive Advertising Bureau. The industry body that created the Transparency and Consent Framework (TCF). IAB Europe maintains the TCF specification and the Global Vendor List — the registry of ad-tech companies that participate in the framework.
ICO: Information Commissioner's Office. The UK's independent data protection regulator. Responsible for enforcing UK GDPR, the UK ePrivacy Regulations, and the Data Protection Act 2018. The ICO can issue fines, enforcement notices, and reprimands for cookie consent failures.

Legitimate interests: One of the six lawful bases for processing personal data under GDPR. Allows processing where it is necessary for a genuine interest and not overridden by the individual's rights. Legitimate interests cannot generally be used as the lawful basis for tracking cookies — the ePrivacy Directive requires consent for non-essential cookies specifically.

Marketing cookies: Cookies used for advertising, retargeting, and tracking users across websites. Classified as non-required under GDPR and the ePrivacy Directive. Setting them before consent is obtained is a compliance failure.
Microsoft UET Consent Mode: Microsoft's equivalent of Google Consent Mode for its Universal Event Tracking (UET) tag. Signals consent state to bat.bing.com requests via parameters on the network call. ConsentScout detects UET consent mode signals when scanning pages that use Microsoft Advertising.

Non-required cookies: Cookies classified as Analytics, Marketing, or Personalisation that go beyond what is strictly necessary to deliver the requested service. Under the ePrivacy Directive, these may not be set before a user has given informed consent. The core of what ConsentScout checks for on every scan.

Pass: A ConsentScout verdict indicating that (1) no non-required cookies were set before consent was given, and (2) a recognised CMP was detected. A Pass result is the strongest positive outcome — though it is a technical assessment, not a legal opinion. See: No legal advice.
Pre-consent tracking: The act of setting non-required cookies, firing analytics scripts, or sending tracking network requests before a user has interacted with a consent notice. Under the ePrivacy Directive this is unlawful for non-essential cookies. It is the central compliance failure ConsentScout is designed to detect.

Required cookies: Cookies classified as Functional or Security that are strictly necessary for the website to operate. Session identifiers, CSRF tokens, and load-balancer affinity cookies are typical examples. These are exempt from consent requirements. Also called "strictly necessary" cookies.

TCF: Transparency and Consent Framework. A standard developed by IAB Europe that defines how CMPs should collect, encode, and communicate user consent for online advertising. Consent is recorded in a TCF consent string stored in a first-party cookie and passed to participating vendors via the CMP's JavaScript API. ConsentScout detects TCF signals including the consent cookie and the __tcfapi global.
Third-party cookie: A cookie set by a domain other than the one the user is visiting — typically an ad network, analytics provider, or data broker. Third-party cookies are the primary mechanism for cross-site tracking and retargeting. Major browsers have progressively restricted them; they remain subject to consent requirements wherever they are set.

UET: Universal Event Tracking. Microsoft's tag for conversion tracking and remarketing via Microsoft Advertising (formerly Bing Ads). See: Microsoft UET Consent Mode.

Verdict: ConsentScout’s summary assessment of a scanned URL: Pass, Warn, Fail, or Error. Each verdict is based on observable technical behaviour — cookies set, CMP detected, consent signals present — not on self-reported claims or policy documents.

Warn: A ConsentScout verdict indicating a CMP was detected but some signals are ambiguous or incomplete — for example, Google Consent Mode is absent or misconfigured, the consent default state is unclear, or cookies were set that could not be confidently classified. A Warn result warrants manual review.

FAQ →Guides →