Measurement Health Check

20+ technical checks across four categories, all derived from the HTML, cookies, and network requests of a publicly reachable URL. It samples up to three representative pages (the entry page plus one content and one form page, when discoverable), not the whole site. With the deep scan enabled it also drives the cookie banner automatically and compares the accept state with the reject state. No login, no tracking code on your site.

• Tracking core: analytics tag, dataLayer, tag manager, server-side tracking, server-side event APIs (Meta CAPI, TikTok, LinkedIn, Enhanced Conversions)
• Consent & privacy: Consent Mode V2, IAB TCF v2.2, cookie banner detection, pre-consent cookies & scripts, 3rd-party cookies
• Performance & UX: tracking payload, third-party scripts, Privacy Sandbox (Core Web Vitals + Lighthouse audit are part of the Audit Sprint, not the free scan)
• Security & bots: HTTPS, security headers (HSTS, CSP, XFO), meta tags, JSON-LD, robots.txt, AI bot policy, llms.txt

An optional mode (a checkbox before the scan, about 15 seconds). We open the page in a real browser, drive the cookie banner automatically, and compare two states: after 'Accept all' and after 'Reject all'. That yields three findings: whether 'Reject' is actually respected (the most common GDPR finding at supervisory authorities), whether 'Accept' activates measurement, and whether a gtag consent update fires after opt-in. It needs an interactable cookie banner, otherwise the tool reports 'Consent simulation not possible'.

Yes. 'Copy link' creates a stable permalink with a social preview image that stays available for 30 days. 'Save as PDF' produces a printout, 'Copy as ticket' a Markdown block per finding for Jira, Linear, or GitHub, and 'Embed' gives you a Health Score badge.

GA4, GTM, Plausible (detected but not deep-checked), Matomo / Piwik PRO (detected). Server-side tracking (sGTM, stape.io, custom endpoints) is only visible indirectly, see the "What this tool can't see" note in the result.

Red means the check failed, e.g. no analytics tag found, Consent Mode V2 missing, pre-consent cookies set. A red check isn't a compliance violation yet, but a concrete item for setup review.

Because an honest quick check tells you whether it's worth looking deeper. If three or more checks come back red, a proper audit is the next conversation. If everything's clean, you don't need us, and we say so.

From the HTML, cookies, and network requests of a public page we can't detect:

• Server-side tracking (sGTM, Stape, custom endpoints)
• Conversion APIs (Meta CAPI, Google Enhanced Conversions, TikTok Events API)
• Anything behind the browser. BigQuery export, dbt models, CDPs, data warehouses
• Cookieless tools without detectable DOM selectors (Fathom, Pirsch, certain Plausible setups)

The scan itself stores no personal data. To keep a result shareable (permalink, social preview image, embed badge), we keep the result in the EU for 30 days: the scanned domain, the score, and the findings, nothing else. After that it deletes itself. If you also request the report by email, your address goes into our EU-hosted lead list (Listmonk, data-minimised).

Pre-consent cookies are set before the user agrees to the cookie banner. Under GDPR and ePrivacy they're only permitted if strictly necessary, analytics, marketing, or personalisation cookies don't qualify. They're the most common cause of CMP complaints to supervisory authorities.

No. 20+ checks vs. 60+ in a real audit. The tool is an early-warning system, not a compliance certificate. If multiple checks come back red or amber, a proper audit is the next conversation.

€2,400 net fixed price, 10 working days, prioritised action plan including server-side, data pipelines, and data quality. More under Request an Audit Sprint.