How the Consent & Conversion Scan Works

This scan simulates a real user visit to your website and analyzes how consent, tracking, and Google Ads conversion signals behave in the browser.

It does not rely on Google Ads or GA4 dashboards. It measures what actually happens in the user's browser, which is where consent and tracking either work - or silently break.

What This Scan Is (and Is Not)

✅ What it is

• A browser-based scan using a real Chromium environment
• A simulation of first visit → reject consent → accept consent
• A check of scripts, cookies, network requests, and consent signals
• A diagnostic tool for Consent Mode v2 and Google Ads attribution

❌ What it is not

• Not a Google Ads reporting audit
• Not a GA4 configuration review
• Not a backend or server-side attribution validator

This scan focuses on front-end behavior, because that's where consent decisions directly affect attribution.

How We Detect Tracking: Loader vs. Tags Firing

We distinguish GTM/gtag loading from tags actually firing. That way, correct implementations (GTM loaded with consent defaults set to denied) are not flagged as failing.

We do not flag

Loading the GTM container (googletagmanager.com/gtm.js)
Loading gtag.js (googletagmanager.com/gtag/js)

These need to load so Consent Mode can run. Google recommends loading GTM/gtag with consent defaults set to "denied" - the tags then wait for consent before firing.

We do flag

Third-party tracking (Meta Pixel, TikTok, Hotjar, LinkedIn, etc.) firing before consent
GA/Ads requests before consent when Consent Mode v2 is not properly set (default denied)

When Consent Mode v2 is on with default "denied", Google tags are allowed to fire before consent in anonymized state (no PII) - we do not count those as violations.

We also wait ~2 seconds after page load before checking, so CMPs that set consent defaults dynamically (e.g. Cookiebot, OneTrust, Usercentrics) have time to run.

Step-by-Step: What We Check

1. Page Load (Before Consent)

We load the page without clicking anything and observe:

Cookies set before consent
Actual tracking requests (e.g. GA collect, Meta pixel) that fire before consent - not GTM/gtag loading
Consent Mode v2 and banner behavior

This identifies issues like:

Tracking before consent
Non-essential cookies set on page load
Tags ignoring consent entirely

Why tracking before consent breaks Google Ads →

2. Consent Banner Detection

We check whether a consent banner is present and usable:

Is a banner detected?
Is there a visible Accept option?
Is there a visible Reject option?
Is the reject option actually clickable?
Which CMP (if any) is detected (e.g. Cookiebot, OneTrust, IAB TCF, Didomi)

Banner detection is heuristic-based. Highly custom or iframe-based banners may not be fully detected.

3. Google Consent Mode v2

We analyze how Consent Mode is implemented:

Is Consent Mode v2 detected?
Is the default state set to denied?
Do consent updates fire after Accept?
Do updates grant ad_storage and/or analytics_storage?

We distinguish between minimally valid setups (works for modeling) and ideally configured setups (best attribution). This avoids false failures and reflects real Google Ads behavior.

Consent Mode v2 check & common mistakes →

Common Consent Mode v2 mistakes →

4. Reject Consent Simulation

We simulate a Reject action and observe:

Whether tracking requests are blocked or reduced
Whether new cookies appear
Whether behavior differs from Accept

With Consent Mode present, some requests may still occur for modeling - this is handled correctly and not treated as a failure.

5. Accept Consent Simulation

We then simulate Accept and check:

Do tracking requests resume?
Do consent updates flip to granted?
Are cookies set only after consent?

This confirms whether consent actually enables measurement.

6. Conversion Tracking Detection

We look for Google Ads conversion capability:

Conversion tags present in scripts
Conversion IDs and labels detected
Conversion-related requests

Not observing a conversion event on this page does not mean conversions are broken. Many conversions fire only on checkout or thank-you pages.

Testing Google Ads conversion tracking →

Google Ads no conversions but GA4 does →

7. Conversion Behavior After Consent

We verify that:

Conversions do not fire before consent
Conversion tracking is not blocked after Accept
Consent does not silently prevent conversions

We only flag issues when we are confident attribution may be affected.

8. IAB TCF Consent Signals Analysis

If your site uses IAB TCF (Transparency and Consent Framework), we:

Detect TCF API presence and read declared consent signals
Track consent state changes over time (before/after user actions)
Compare declared TCF consent to actual tracking behavior
Check if TCF consent signals are passed to Google Consent Mode
Identify mismatches between what TCF declares and what actually happens

This helps explain why Google Ads measurement might break even when CMPs say everything is fine. We analyze TCF signals as supporting evidence, not as legal compliance validation.

Note: TCF detection is informational. Many sites use other consent frameworks, and that's fine - we still check all the other signals above.

How Verdicts Are Determined

The report shows a two-layer verdict: (1) Google Ads measurement - OK, At Risk, or Broken - and (2) Consent implementation - Pass, Partial, or Issues detected. This lets you see both whether conversion measurement is working and whether your consent setup has gaps (e.g. server-side setups where we verify browser behavior but not server propagation).

✅

PASS

Consent and tracking signals are aligned. Minor deviations may exist but are unlikely to affect Google Ads measurement. We sometimes pass with a note when Consent Mode v2 and conversion behavior are correct but small deviations exist (e.g. some early scripts or cookies).

⚠️

PARTIAL

Consent and tracking are partially aligned. Google Ads may still work, but attribution or optimization may be degraded.

❌

FAIL

Critical misalignment detected: conversion events firing before consent; or tracking before consent without Consent Mode v2 (and not explained by SPA hydration timing). These conditions break or heavily limit Google Ads attribution.

Server-Side Tracking

When we detect server-side Google Tag Manager (e.g. Stape, GTM Server-Side, or measurement endpoints), we do not treat "no conversion observed in the browser" as a failure - conversions may be sent from your server and are not visible in the scan.

What we verify: Consent behavior in the browser, whether Consent Mode v2 is correctly set in the client, and whether tracking respects user choice (accept vs reject). We also check whether server-bound requests change after accept vs reject when we can observe them.

What we do not verify: Google Ads account data or whether conversions are correctly implemented and attributed on your server. Server-side conversion pipelines are outside the scope of this scan.

If you pass consent to the server and do not use client-side Consent Mode, the "Consent Mode v2 not detected" result may not apply to your setup - we show a note on the report when server-side tracking is detected so you can interpret the result in context.

If you are using server-side GTM and want to forward CMP consent signals to your server container, read how to forward CMP consent to server-side GTM.

Checks requiring manual verification (when server-side is detected)

Confirm server-side events respect consent state
Confirm server-bound requests change after accept vs reject (if not already verified by the scan)

Related Resources

For readers who want more detail about how we run scans and interpret results:

Methodology - concise reference of how the scanner works, what we detect, and known limitations.
Real‑world findings - aggregated patterns we see across many sites.
Limitations & disclaimers - what we cannot verify and how to interpret results safely.
Sample report - see a full diagnostic report without running a scan.
Monitoring - ongoing scans and email alerts when something changes.

About SPA & Timing Edge Cases

Single-page applications sometimes load scripts very early during hydration (e.g. within a few hundred milliseconds of load). If Consent Mode v2 is present and consent updates fire correctly, we treat early script loading as a timing issue, not a failure. This prevents false alarms on modern frameworks.

Important Limitations (Transparency Matters)

The scan reflects browser behavior, not Google Ads UI status
Conversions may fire on other pages
Server-side tagging is not fully observable
Banner detection may miss highly custom implementations

That said, browser behavior is the source of truth for consent.

Why This Matters for Google Ads

If consent, tracking, and conversions are misaligned:

Google Ads may optimize on incomplete data
Conversion reporting becomes unreliable
Retargeting audiences may not populate
Performance drops without obvious errors

This scan surfaces issues that Google Ads does not warn you about.

Why Google Ads conversions break →

Data & Privacy

No scanned URLs are stored
Results are anonymized
Aggregate statistics may be generated from scans
No personal or business-identifiable data is collected

Who This Scan Is For

Advertisers running Google Ads
Agencies managing multiple client sites
Developers implementing Consent Mode v2
Marketers debugging missing conversions

From one-time scan to ongoing monitoring

This page describes the one-time scan: you run it once and get a report. But consent and tracking can break again after theme updates, CMP changes, or new tags. We also offer ongoing monitoring: the same browser-based scan runs on a schedule (daily, weekly, or monthly), and we email you only when we detect a change in the verdict or critical issues.

Flow: you add your URL and choose frequency → we run the same scan on schedule → we compare each run to the previous one → if something changed (e.g. PASS → PARTIAL, or new tracking-before-consent), we send an email with a link to the new report. No dashboards, no guessing - same scan logic, automated.

14-day free trial (card required). After that, $9/mo unless you cancel. Up to 5 URLs per account.

See monitoring →

Compare: one-time scan vs monitoring.

FAQ

What does the scan actually do?: It runs in a real Chromium browser, loads your URL, simulates first visit → reject consent → accept consent, and checks scripts, cookies, network requests, and Consent Mode v2. We measure what happens in the browser, not Google Ads or GA4 dashboards.
Do you flag GTM or gtag loading?: No. Loading GTM or gtag.js is required for Consent Mode. We flag tracking firing before consent (e.g. third-party pixels, or Google tags firing before consent when Consent Mode default denied is not set).
Can I run the scan on a staging or local URL?: The scan needs a publicly reachable URL. Staging or localhost URLs are not reachable from our scan environment.
Is there ongoing monitoring?: Yes. We offer monitoring: the same scan runs on a schedule (daily, weekly, or monthly) and we email you only when we detect a change. See monitoring.

See what we find for your site

Run a free scan and get a clear verdict plus optional PDF report with fix instructions.

Run free scan →

View sample report · Ongoing monitoring