CMP Vendor Cookie Compliance
"Physician, heal thyself."
The companies that sell privacy tools should be experts. They sell compliance to others. Yet a scan of 42 homepages for Consent Management Platforms (CMPs) and privacy vendors shows that many cannot follow their own rules.
Only two sites definitively passed the scan. Eleven failed outright. These eleven "expert" sites set trackers for services such as Google, LinkedIn, and Twitter before a user interacts with their banners.
The list of failures includes names like Complianz, Didomi, and Cookie Information. These firms sell the very tools they fail to use correctly on their own domains. Complianz, for example, sets Google Analytics cookies immediately on page load. Its own Google Consent Mode integration is broken.
What the data shows
The verdict breakdown is stark. Of 38 sites that returned a valid result, just 2 passed and 11 failed. The remaining 25 received a warn verdict - meaning a consent banner was detected but signals were ambiguous: Google Consent Mode missing or misconfigured, banners present but non-required cookies already set.
The 11 failing sites share a common pattern. A banner appears. A user sees an "Accept" button. But the trackers have already started. Google Analytics fires on arrival. LinkedIn's lidc and bcookie cookies are set. The banner is decoration.
Google Consent Mode: a split picture
On GCM adoption, the industry shows more self-awareness than the cookie compliance results suggest. 17 of the 38 valid sites - 45% - have Google Consent Mode correctly configured in Advanced mode. That is a higher rate than the general web, where Advanced adoption remains low.
But 25 sites still fall short: 3 have broken or partial integrations, and 22 have no GCM implementation at all. For companies whose customers are often buying consent infrastructure partly because of GCM requirements, that gap is difficult to explain.
A failure of the industry
This is more than a technical slip. It is a credibility problem for an entire sector.
If a vendor cannot secure its own homepage, a customer cannot fully trust the tool they buy. The presence of a cookie banner is not evidence of compliance. These results show that a banner can exist alongside systematic non-compliance - and that even specialists in consent management are not immune.
The data also reveals that 25 of the 42 vendors have no identifiable consent management platform on their own site. Some may use custom implementations not yet recognised by our scanner. Others may have no consent layer at all.
Methodology
Scans were performed using ConsentScout with headless Chromium (Windows desktop user agent, en-GB locale). Each URL was loaded once in a fresh browser context (no stored cookies, no cached storage, no prior consent state) with no user interaction. A site is marked PASS only if, on first load, (1) no cookies classified as non-required (Analytics, Marketing, or Personalisation) are set, and (2) a recognised Consent Management Platform (CMP) is detected. FAIL indicates that one or more cookies were set on first load that are not typically considered "required" for delivering the requested service (e.g., analytics identifiers, marketing tags, cross-site IDs, or similar). WARN indicates cookies were set that ConsentScout could not confidently classify and therefore require manual verification. Sites returning HTTP errors, DNS failures, or timeouts are excluded from PASS/WARN/FAIL totals.
Pass, Warn, Fail
Verdict distribution across 42 CMP and privacy vendor homepages. Only 2 sites achieved a clean pass - no non-required cookies before consent. 11 failed outright, setting trackers before any interaction.
Google Consent Mode Adoption
17 of 38 valid vendor sites have Google Consent Mode correctly configured in Advanced mode - higher than the general web average. 3 have broken integrations and 18 have none at all.
Cookies Firing Before Consent on Failing Sites
The non-required cookies most frequently observed firing before consent on the 11 failing vendor sites. Google Analytics and LinkedIn dominate - the same trackers these vendors promise to control on their customers' behalf.
What Tool Does Each Vendor Use on Their Own Site?
Which consent management platform each scanned vendor deploys on its own homepage. 'None detected' means our scanner found no recognised CMP - the majority of vendors have no identifiable consent layer at all.
Failing sites
| site ▲ | url | cmp | bannerDetected | gcmEnabled | uetEnabled | requiredCount | nonRequiredCount | unknownCount | nonRequiredCookies |
|---|---|---|---|---|---|---|---|---|---|
| complianz.io | https://complianz.io/Scan | Complianz (90%) | yes (100%) | yes:Broken:defaultUnknown | no | 2 | 2 | 1 | _ga_HSF5X8LB5V@.complianz.io (Analytics); _ga@.complianz.io (Analytics) |
| cookie-script.com | https://cookie-script.com/Scan | yes (100%) | yes:Broken:defaultUnknown | no | 3 | 4 | 3 | lidc@.linkedin.com (Marketing); bcookie@.linkedin.com (Marketing); _ga@.cookie-script.com (Analytics); _ga_6HZSPS6QTR@.cookie-script.com (A… | |
| cookieinformation.com | https://cookieinformation.com/Scan | Cookie Information (90%) | yes (100%) | no | no | 1 | 1 | 0 | ppms_privacy_abc414f3-8979-472f-8144-649ea65a057f@cookieinformation.com (Analytics) |
| cytrio.com | https://cytrio.com/Scan | yes (100%) | yes:Broken:defaultUnknown | no | 1 | 9 | 8 | _gcl_au@.cytrio.com (Marketing); _gid@.cytrio.com (Analytics); _gat_UA-181294237-1@.cytrio.com (Analytics); _ga_B8TW433JHH@.cytrio.com (Ana… | |
| illow.io | https://illow.io/Scan | yes (100%) | yes:Advanced:defaultUnknown | no | 5 | 10 | 21 | _li_ss@i.liadm.com (Marketing); _rdt_uuid@.bigid.com (Marketing); muc_ads@.t.co (Marketing); guest_id_marketing@.twitter.com (Marketing); g… | |
| myagileprivacy.com | https://myagileprivacy.com/Scan | yes (40%) | yes:Advanced:defaultUnknown | no | 1 | 2 | 5 | _pk_id.1.87ff@www.myagileprivacy.com (Analytics); _pk_ses.1.87ff@www.myagileprivacy.com (Analytics) | |
| www.didomi.io | https://www.didomi.io/Scan | Didomi (80%) | yes (80%) | no | no | 2 | 1 | 0 | _gcl_au@.didomi.io (Marketing) |
| www.duda.co | https://www.duda.co/Scan | OneTrust (90%) | yes (90%) | no | no | 6 | 7 | 3 | dm_timezone_offset@www.duda.co (Analytics); dm_last_page_view@www.duda.co (Analytics); dm_this_page_view@www.duda.co (Analytics); dm_last_v… |
| www.ecwid.com | https://www.ecwid.com/Scan | no | no | no | 0 | 3 | 11 | intercom-id-ux7f0ki6@.ecwid.com (Analytics); intercom-session-ux7f0ki6@.ecwid.com (Analytics); intercom-device-id-ux7f0ki6@.ecwid.com (Anal… | |
| www.webtoffee.com | https://www.webtoffee.com/Scan | yes (100%) | yes:Advanced:defaultUnknown | no | 3 | 1 | 1 | _gcl_au@.webtoffee.com (Marketing) | |
| www.wix.com | https://www.wix.com/Scan | no | no | no | 7 | 1 | 1 | svSession@.www.wix.com (Marketing) |
This report is provided “as is” for research and informational purposes only and does not constitute legal, compliance, or professional advice. Results are derived from automated testing and heuristic classification and may contain false negatives or misclassification. Observed behaviour can vary materially due to location, timing, consent state, user settings, experimentation, third-party scripts, and vendor configuration. No representations or warranties are made regarding accuracy, completeness, non-infringement, or suitability for any purpose. Use of this report and any reliance on it is entirely at your own risk. The author accepts no responsibility or liability (to the fullest extent permitted by law) for any direct or indirect loss, reputational harm, or other consequences arising from use, publication, or interpretation of these findings.