Waivern Consent Analyser
AI-Enhanced Compliance Report

AI-Enhanced Compliance Report

https://www.theguardian.com  ·  CMP: Sourcepoint   🤖 AI analysis active
After Reject All (post-rejection state)
5 FAIL   31 PASS   2 MANUAL

Consent State Screenshots — assessed by AI for K.1/K.2/K.3

Layer 1 — Initial banner (before interaction)
pre_consent
Layer 2 — After Accept All (consent baseline)
post_accept
After Reject All (post-rejection state)
post_reject

AI Executive Summary

Overall Risk: HIGH

The Guardian's website presents significant GDPR and ePrivacy compliance risks through multiple violations including dark pattern rejection buttons, continued tracking post-rejection, and undisclosed cookies. The site appears to operate a consent-or-pay model with 'Reject all and subscribe' messaging, but this implementation creates deceptive UX patterns that violate consent requirements. Post-rejection tracking through 8 non-essential cookies and active Google Tag Manager globals demonstrates clear ePrivacy violations. Incomplete cookie policy disclosures compound transparency failures under GDPR Article 13.

Remediation Roadmap

  1. Eliminate all post-rejection tracking by preventing 8 non-essential cookies and disabling Google Tag Manager globals immediately upon rejection (high) — Resolves fundamental ePrivacy violations and prevents ongoing unlawful processing post-rejection
  2. Redesign consent banner with simple 'Reject all' button text removing subscription messaging to ensure equal prominence (low) — Eliminates dark patterns and ensures CNIL-compliant symmetrical consent interface
  3. Implement clear separation between cookie consent and subscription options through distinct user flows (medium) — Ensures consent-or-pay model complies with Orange România unbundling requirements
  4. Conduct comprehensive cookie audit and update privacy policy to include all 31 undisclosed cookies (medium) — Achieves GDPR Article 13 transparency compliance and eliminates disclosure gaps
  5. Implement automated cookie policy synchronization system to prevent future disclosure mismatches (high) — Ensures ongoing transparency compliance and reduces manual compliance burden

Detailed Findings

🤖 = AI-assessed  ·  👁 = Vision (screenshot)  ·  HIGH MEDIUM LOW = risk level from legal analysis

B. Pre-Consent State 0 FAIL   5 PASS   0 MANUAL
B.1 No tracking requests before consent banner interaction
✓ PASS

No consent-required domains observed before the consent signal.

B.2 No analytics/marketing cookies in Storage pre-consent
✓ PASS

No advertising cookies found in Storage before consent.

B.3 JS tracker globals return undefined pre-consent
✓ PASS

All probed tracker globals are undefined pre-consent.

B.4 No tracking identifiers in localStorage/sessionStorage pre-consent
✓ PASS

No tracking keys found in web storage pre-consent.

B.5 Non-essential scripts have type=text/plain (CMP-blocked) in DOM
✓ PASS

All tracking scripts in DOM appear to be CMP-blocked (type=text/plain) or absent.

C. Baseline Capture 0 FAIL   0 PASS   0 MANUAL
C.2 Inventory of third-party tracking domains active after Accept All
ℹ INFO

41 tracking domains active after consent-all (baseline).

▶ Show all 41 rows
domainvendorcategoryfirst_seenexample_url
pixel.adsafeprotected.comIAS PixelMEASUREMENT2026-03-31T19:40:44https://pixel.adsafeprotected.com/services/pub?anId=10249&slot=%7Bid:dfp-ad--top-above-nav,ss:%5B1.1,2.2,728.90,940.230,
cm.g.doubleclick.netGoogle DoubleClickADVERTISING2026-03-31T19:40:44https://cm.g.doubleclick.net/partnerpixels?gdpr_consent=CQh7pEAQh7pEABwABCENCYFgAP_gAEPgABpYKoNB5C4USCFAKCJ1YJsgIAQXwRAA
ads.pubmatic.comPubMaticADVERTISING2026-03-31T19:40:44https://ads.pubmatic.com/AdServer/js/google-esp.js
tags.crwdcntrl.netLotameIDENTITY2026-03-31T19:40:44https://tags.crwdcntrl.net/lt/c/16589/sync.min.js
cdn.id5-sync.comID5 (universal ID)IDENTITY2026-03-31T19:40:44https://cdn.id5-sync.com/api/1.0/esp.js
id5-sync.comID5 (universal ID)IDENTITY2026-03-31T19:40:44https://id5-sync.com/api/esp/increment?counter=no-config
api.id5-sync.comID5IDENTITY2026-03-31T19:40:44https://api.id5-sync.com/analytics/182/id5-api-js
oajs.openx.netOpenXADVERTISING2026-03-31T19:40:44https://oajs.openx.net/esp?url=https%3A%2F%2Fwww.theguardian.com%2Feurope&rid=esp
bcp.crwdcntrl.netLotameIDENTITY2026-03-31T19:40:44https://bcp.crwdcntrl.net/6/map?xcid=16589
ib.adnxs.comXandr AppNexusADVERTISING2026-03-31T19:40:44https://ib.adnxs.com/getuidj?gdpr=1&gdpr_consent=CQh7pEAQh7pEABwABCENCYFgAP_gAEPgABpYKoNB5C4USCFAKCJ1YJsgIAQXwRAA4gQABgA
fastlane.rubiconproject.comMagniteADVERTISING2026-03-31T19:40:45https://fastlane.rubiconproject.com/a/api/fastlane.json?account_id=26644&site_id=549496&zone_id=3426828&size_id=2&alt_si
rtb.openx.netOpenXADVERTISING2026-03-31T19:40:45https://rtb.openx.net/openrtbb/prebidjs
elb.the-ozone-project.comOzone ProjectIDENTITY2026-03-31T19:40:45https://elb.the-ozone-project.com/openrtb2/auction
htlb.casalemedia.comIndex ExchangeADVERTISING2026-03-31T19:40:45https://htlb.casalemedia.com/openrtb/pbjs?s=208283
pagead2.googlesyndication.comGoogle AdSense/GAMADVERTISING2026-03-31T19:40:45https://pagead2.googlesyndication.com/pagead/ping?e=1
google-bidout-d.openx.netOpenXADVERTISING2026-03-31T19:40:45https://google-bidout-d.openx.net/w/1.0/pd?plm=5
image6.pubmatic.comPubMaticADVERTISING2026-03-31T19:40:45https://image6.pubmatic.com/AdServer/UCookieSetPug?oid=5&p=156578&publisherId=156578&src=esp_google&ver=1&coppa=0&gdpr_c
pubads.g.doubleclick.netGoogle DoubleClickADVERTISING2026-03-31T19:40:45https://pubads.g.doubleclick.net/activity;dc_iu=/59666047/DFPAudiencePixel;ord=1;dc_seg=895181798;permutive=23527?
hbopenbid.pubmatic.comPubMatic OpenBidADVERTISING2026-03-31T19:40:45https://hbopenbid.pubmatic.com/translator?source=prebid-client&gzip=1
pixel.rubiconproject.comMagnite (Rubicon)ADVERTISING2026-03-31T19:40:45https://pixel.rubiconproject.com/exchange/sync.php?p=a9eu&gdpr_consent=CQh7pEAQh7pEABwABCENCYFgAP_gAEPgABpYKoNB5C4USCFAK
ssum-sec.casalemedia.comIndex ExchangeADVERTISING2026-03-31T19:40:45https://ssum-sec.casalemedia.com/usermatch?s=192259&cb=https%3A%2F%2Faax-eu.amazon-adsystem.com%2Fs%2Fecm3%3Fex%3Dindex.
ssbsync.smartadserver.comSmart (Equativ)ADVERTISING2026-03-31T19:40:45https://ssbsync.smartadserver.com/api/sync?callerId=2&gdpr_consent=CQh7pEAQh7pEABwABCENCYFgAP_gAEPgABpYKoNB5C4USCFAKCJ1Y
dsum-sec.casalemedia.comIndex ExchangeADVERTISING2026-03-31T19:40:45https://dsum-sec.casalemedia.com/rrum?ixi=1&cm_dsp_id=85&cb=https%3A%2F%2Fcm.g.doubleclick.net%2Fpixel%3Fgoogle_nid%3Dca
secure.adnxs.comXandr (AppNexus)ADVERTISING2026-03-31T19:40:45https://secure.adnxs.com/getuid?https://usersync.gumgum.com/usersync?b=apn&i=$UID
us-u.openx.netOpenXADVERTISING2026-03-31T19:40:45https://us-u.openx.net/w/1.0/cm?_={CACHEBUSTER}&id=47f31213-389c-4904-aaa6-9b11aab9c211&gdpr=1&gdpr_consent=CQh7pEAQh7pE
sync.ipredictive.comiPromoteADVERTISING2026-03-31T19:40:45https://sync.ipredictive.com/d/sync/cookie/generic?partner=gumgum&cspid=9&append=1&cb=${ADELPHIC_CACHE_BUSTER}&gdpr=1&gd
ep1.adtrafficquality.googleGoogle SODAR/IVTADVERTISING2026-03-31T19:40:45https://ep1.adtrafficquality.google/getconfig/sodar?sv=200&tid=gpt&tv=m202603250101&st=env&sjk=6411510798165893
securepubads.g.doubleclick.netGoogle Publisher AdsADVERTISING2026-03-31T19:40:45https://securepubads.g.doubleclick.net/gampad/ads?pvsid=6411510798165893&correlator=3748217310167902&eid=31097431%2C3109
df2f4d698ae010735b53fbcbb2e00cc1.safeframe.googlesyndication.comGoogle SafeFrame (viewability)MEASUREMENT2026-03-31T19:40:45https://df2f4d698ae010735b53fbcbb2e00cc1.safeframe.googlesyndication.com/safeframe/1-0-45/html/container.html
sync.crwdcntrl.netLotameIDENTITY2026-03-31T19:40:45https://sync.crwdcntrl.net/qmap?c=1389&tp=STSC&tpid=5f51420a-6b1b-4c94-993a-12f84b808716-69cc233d-4e4c&gdpr=1&gdpr_conse
cms.quantserve.comQuantcast MeasureANALYTICS2026-03-31T19:40:45https://cms.quantserve.com/pixel/p-zLwwakwy-hZw3.gif?idmatch=0&ssp=gumgum2&gdpr=1&gdpr_consent=CQh7pEAQh7pEABwABCENCYFgA
c1.adform.netAdformADVERTISING2026-03-31T19:40:45https://c1.adform.net/serving/cookie/match?party=1301&gdpr=1&gdpr_consent=CQh7pEAQh7pEABwABCENCYFgAP_gAEPgABpYKoNB5C4USC
ep2.adtrafficquality.googleGoogle SODAR/IVTADVERTISING2026-03-31T19:40:46https://ep2.adtrafficquality.google/sodar/sodar2.js
secure-assets.rubiconproject.comMagnite (Rubicon)ADVERTISING2026-03-31T19:40:46https://secure-assets.rubiconproject.com/utils/xapi/multi-sync.html?p=gumgum
eus.rubiconproject.comMagnite (Rubicon)ADVERTISING2026-03-31T19:40:46https://eus.rubiconproject.com/usync.html?p=gumgum
simage2.pubmatic.comPubMaticADVERTISING2026-03-31T19:40:46https://simage2.pubmatic.com/AdServer/Pug?vcode=bz0yJnR5cGU9MSZjb2RlPTI4NzUmdGw9NDMyMDA=&gdpr=1&gdpr_consent=CQh7pEAQh7p
image2.pubmatic.comPubMaticADVERTISING2026-03-31T19:40:46https://image2.pubmatic.com/AdServer/Pug?vcode=bz0yJnR5cGU9MSZjb2RlPTIxNzcmdGw9MTI5NjAw&gdpr=1&gdpr_consent=CQh7pEAQh7pE
eu-u.openx.netOpenXADVERTISING2026-03-31T19:40:46https://eu-u.openx.net/w/1.0/sd?id=537113484&val=1514120448363740908
track.adform.netAdform TrackingADVERTISING2026-03-31T19:40:46https://track.adform.net/serving/cookie/match/?party=1008&gdpr=1&gdpr_consent=CQh7pEAQh7pEABwABCENCYFgAP_gAEPgABpYKoNB5C
token.rubiconproject.comMagnite (Rubicon)ADVERTISING2026-03-31T19:40:46https://token.rubiconproject.com/khaos.json?gdpr_consent=CQh7pEAQh7pEABwABCENCYFgAP_gAEPgABpYKoNB5C4USCFAKCJ1YJsgIAQXwRA
tpc.googlesyndication.comGoogle AdSenseADVERTISING2026-03-31T19:40:46https://tpc.googlesyndication.com/safeframe/1-0-45/js/ext.js
C.3 Full cookie inventory (with expiry, HttpOnly, Secure, SameSite) after Accept All
ℹ INFO

34 cookies in storage after Accept All (full metadata).

▶ Show all 34 rows
namedomainexpires_dayshttp_onlysecuresame_siteclassification
GU_mvt_id.theguardian.com90.0FalseTrueLaxUNKNOWN
gu_client_ab_testswww.theguardian.com30.0FalseFalseLaxUNKNOWN
gu_v2_mvt_idwww.theguardian.com30.0FalseFalseLaxUNKNOWN
GU_geo_countrywww.theguardian.comsessionFalseTrueLaxUNKNOWN
bwid.theguardian.com365.0FalseTrueNoneUNKNOWN
bwid_withoutSameSiteForIncompatibleClients.theguardian.com365.0TrueTrueLaxUNKNOWN
consentUUID.theguardian.com365.0FalseTrueNoneESSENTIAL
consentDate.theguardian.com365.0FalseTrueNoneESSENTIAL
_pubcid.theguardian.com270.0FalseFalseLaxUNKNOWN
_pubcid_cst.theguardian.com365.0FalseFalseLaxUNKNOWN
id5.id5-sync.com90.0FalseTrueNoneUNKNOWN
test_cookie.doubleclick.net0.0FalseTrueNoneUNKNOWN
_scor_uid.theguardian.com390.0FalseTrueNoneUNKNOWN
UID.scorecardresearch.com390.0FalseTrueNoneUNKNOWN
XID.scorecardresearch.com390.0FalseTrueNoneUNKNOWN
permutive-id.theguardian.com184.0FalseTrueNoneUNKNOWN
uid.criteo.com390.0FalseTrueNoneUNKNOWN
lotame_domain_check.theguardian.com0.0FalseFalseLaxUNKNOWN
A3.yahoo.com365.2TrueTrueNoneUNKNOWN
connectId.theguardian.com365.0FalseTrueNoneUNKNOWN
i.openx.net365.0FalseTrueNoneUNKNOWN
cto_bundle.criteo.com390.0FalseTrueNoneUNKNOWN
_cc_dc.crwdcntrl.net270.0FalseTrueNoneUNKNOWN
_cc_id.crwdcntrl.net270.0FalseTrueNoneUNKNOWN
pxid.d6691a17-6fdb-4d26-85d6-b3dd27f55f08.prmutv.co91.0TrueTrueNoneUNKNOWN
_cc_id.theguardian.com270.0FalseFalseLaxUNKNOWN
panoramaId_expiry.theguardian.com7.0FalseFalseLaxUNKNOWN
panoramaId.theguardian.com7.0FalseFalseLaxUNKNOWN
panoramaIdType.theguardian.com7.0FalseFalseLaxUNKNOWN
khaos.rubiconproject.com365.0FalseTrueNoneUNKNOWN
audit.rubiconproject.com365.0FalseTrueNoneUNKNOWN
cto_bundle.theguardian.com390.0FalseFalseLaxUNKNOWN
ad-id.amazon-adsystem.com184.0TrueTrueNoneUNKNOWN
receive-cookie-deprecation.casalemedia.com365.0TrueTrueNoneAD
C.4 Tracker JS globals active after Accept All (baseline)
ℹ INFO

Globals defined after consent: []

D. Decline Non-Essential Consent 0 FAIL   1 PASS   0 MANUAL
D.4 Reject requires no more clicks than Accept (EDPB symmetry)
✓ PASS

Accept and Reject both require 1 click(s). Symmetric.

accept_clicksreject_clicksextra_clicks_to_rejectreject_required_manage_panel
110False
E. Network Request Verification 0 FAIL   4 PASS   0 MANUAL
E.1 No requests to non-essential third-party domains after reject-all
✓ PASS

No tracking domains observed post-reject.

E.2 No tracker JS libraries loaded after reject-all
✓ PASS

No tracker scripts observed post-reject.

E.3 No tracking pixels or beacons fired after reject-all
✓ PASS

No tracking beacons observed post-reject.

E.4 No tracking activity on subpages after reject-all
✓ PASS

No tracker globals or tracking storage observed on 2 subpage(s).

F. Cookie Verification (Third-Party) 0 FAIL   2 PASS   0 MANUAL
F.1 No analytics/marketing cookies present after reject-all
⚠ PARTIAL

No advertising cookies seen in request headers post-reject. Verify Storage tab with Component 2 for full confirmation.

F.2 document.cookie contains only essential cookies post-reject
✓ PASS

No advertising cookies visible in document.cookie post-reject.

doc_cookie_snippet
GU_mvt_id=173575; bwid=idFromPV_RRRliJR17YwySLr-gCLFaA; consentUUID=5fef39e5-de08-4cf3-8c8e-654f8e422ba0; GU_geo_country=NL; GU_country=NL
F.3 No tracking identifiers in web storage post-reject
✓ PASS

No tracking identifiers found in localStorage/sessionStorage post-reject.

G. First-Party Cookie Classification 2 FAIL   6 PASS   0 MANUAL
G.1 Complete first-party cookie inventory with full metadata
ℹ INFO

19 first-party cookies in Storage after Accept All.

▶ Show all 19 rows
namedomainexpires_dayshttp_onlysecuresame_siteclassification
GU_mvt_id.theguardian.com90.0FalseTrueLaxUNKNOWN
gu_client_ab_testswww.theguardian.com30.0FalseFalseLaxUNKNOWN
gu_v2_mvt_idwww.theguardian.com30.0FalseFalseLaxUNKNOWN
GU_geo_countrywww.theguardian.comsessionFalseTrueLaxUNKNOWN
bwid.theguardian.com365.0FalseTrueNoneUNKNOWN
bwid_withoutSameSiteForIncompatibleClients.theguardian.com365.0TrueTrueLaxUNKNOWN
consentUUID.theguardian.com365.0FalseTrueNoneESSENTIAL
consentDate.theguardian.com365.0FalseTrueNoneESSENTIAL
_pubcid.theguardian.com270.0FalseFalseLaxUNKNOWN
_pubcid_cst.theguardian.com365.0FalseFalseLaxUNKNOWN
_scor_uid.theguardian.com390.0FalseTrueNoneUNKNOWN
permutive-id.theguardian.com184.0FalseTrueNoneUNKNOWN
lotame_domain_check.theguardian.com0.0FalseFalseLaxUNKNOWN
connectId.theguardian.com365.0FalseTrueNoneUNKNOWN
_cc_id.theguardian.com270.0FalseFalseLaxUNKNOWN
panoramaId_expiry.theguardian.com7.0FalseFalseLaxUNKNOWN
panoramaId.theguardian.com7.0FalseFalseLaxUNKNOWN
panoramaIdType.theguardian.com7.0FalseFalseLaxUNKNOWN
cto_bundle.theguardian.com390.0FalseFalseLaxUNKNOWN
G.2 MEDIUM All observed cookies declared in cookie policy
✗ FAIL

31 cookie(s) observed but not found in cookie policy at https://www.theguardian.com/privacy.

▶ Show all 30 rows
cookie_namestatus
panoramaIdTypeobserved but not in cookie policy
receive-cookie-deprecationobserved but not in cookie policy
GU_geo_countryobserved but not in cookie policy
_cc_dcobserved but not in cookie policy
khaosobserved but not in cookie policy
gu_client_ab_testsobserved but not in cookie policy
bwid_withoutSameSiteForIncompatibleClientsobserved but not in cookie policy
cto_bundleobserved but not in cookie policy
UIDobserved but not in cookie policy
iobserved but not in cookie policy
pxidobserved but not in cookie policy
GU_mvt_idobserved but not in cookie policy
_cc_idobserved but not in cookie policy
uidobserved but not in cookie policy
panoramaId_expiryobserved but not in cookie policy
permutive-idobserved but not in cookie policy
_scor_uidobserved but not in cookie policy
_pubcid_cstobserved but not in cookie policy
test_cookieobserved but not in cookie policy
lotame_domain_checkobserved but not in cookie policy
XIDobserved but not in cookie policy
bwidobserved but not in cookie policy
ad-idobserved but not in cookie policy
_pubcidobserved but not in cookie policy
GU_countryobserved but not in cookie policy
gu_v2_mvt_idobserved but not in cookie policy
A3observed but not in cookie policy
GU_support_csrfobserved but not in cookie policy
connectIdobserved but not in cookie policy
auditobserved but not in cookie policy
Regulatory basis: GDPR Art. 13 · GDPR Art. 5(1)(a)
Precedent: GDPR Article 13 requires comprehensive information provision about all processing activities, with EDPB Guidelines 05/2020 confirming that incomplete cookie disclosures violate transparency obligations.
Recommendation: Update cookie policy at https://www.theguardian.com/privacy to include all 31 undisclosed cookies and implement automated policy synchronization with deployed cookies.
G.3 Strictly necessary two-part test (AI-assisted)
✓ PASS

AI analysis: 0 cookie(s) fail the strictly-necessary test and should be absent after reject-all. Summary:

G.4 Server-side analytics/ad cookies identified in Set-Cookie headers
✓ PASS

No advertising cookies observed in Set-Cookie response headers.

G.5 No CNAME cloaking detected (first-party subdomains resolving to tracker infrastructure)
✓ PASS

No CNAME cloaking detected across 4 subdomain(s).

subdomaincname_targetis_trackervendorerror
ophan.theguardian.com(no CNAME / A record only)FalseNoneNone
sourcepoint.theguardian.com(no CNAME / A record only)FalseNoneNone
support.theguardian.com(no CNAME / A record only)FalseNoneNone
static.theguardian.com(no CNAME / A record only)FalseNoneNone
G.6 Non-essential first-party cookies absent after reject-all
✓ PASS

All advertising cookies absent from Storage post-reject.

G.7 HIGH No non-essential Set-Cookie headers after reject-all
✗ FAIL

8 Set-Cookie header(s) for non-essential cookies observed post-reject.

cookie_namedomainheaderclassificationtimestamp
GU_mvt_idwww.theguardian.comGU_mvt_id=173575; expires=Mon, 29 Jun 2026 19:41:03 GMT; path=/; domain=.theguardian.com; SecureUNKNOWN2026-03-31T19:41:03
gu_client_ab_testswww.theguardian.comgu_client_ab_tests=growth-auxia-banner:control; path=/; max-age=2592000UNKNOWN2026-03-31T19:41:03
gu_v2_mvt_idwww.theguardian.comgu_v2_mvt_id=348; path=/; max-age=2592000UNKNOWN2026-03-31T19:41:03
GU_geo_countrywww.theguardian.comGU_geo_country=NL; path=/; SecureUNKNOWN2026-03-31T19:41:03
bwidophan.theguardian.combwid=idFromPV_RRRliJR17YwySLr-gCLFaA; Max-Age=31536000; Expires=Wed, 31 Mar 2027 19:41:04 GMT; SameSite=None; Path=/; Domain=.theguardian.com; SecureUNKNOWN2026-03-31T19:41:04
bwid_withoutSameSiteForIncompatibleClientsophan.theguardian.combwid_withoutSameSiteForIncompatibleClients=idFromPV_RRRliJR17YwySLr-gCLFaA; Max-Age=31536000; Expires=Wed, 31 Mar 2027 19:41:04 GMT; Path=/; Domain=.tUNKNOWN2026-03-31T19:41:04
bwidophan.theguardian.combwid=idFromPV_RRRliJR17YwySLr-gCLFaA; Max-Age=31536000; Expires=Wed, 31 Mar 2027 19:41:07 GMT; SameSite=None; Path=/; Domain=.theguardian.com; SecureUNKNOWN2026-03-31T19:41:07
bwid_withoutSameSiteForIncompatibleClientsophan.theguardian.combwid_withoutSameSiteForIncompatibleClients=idFromPV_RRRliJR17YwySLr-gCLFaA; Max-Age=31536000; Expires=Wed, 31 Mar 2027 19:41:07 GMT; Path=/; Domain=.tUNKNOWN2026-03-31T19:41:07
Regulatory basis: ePrivacy Directive Art. 5(3) · GDPR Art. 7(3)
Precedent: EDPB Guidelines 2/2023 confirm that analytics and advertising cookies require consent regardless of first/third-party status, with no exemptions for post-rejection deployment.
Recommendation: Immediately cease all non-essential cookie deployment upon rejection and implement technical measures to prevent 8 identified post-rejection cookies from being set.
G.8 Cookie lifetime analysis (ITP bypass detection)
✓ PASS

No obvious ITP bypass patterns in Set-Cookie headers.

G.9 No tracking keys in first-party localStorage/sessionStorage post-reject
✓ PASS

No tracking identifiers found in first-party web storage post-reject.

H. JS Global Object Verification 1 FAIL   1 PASS   0 MANUAL
H.1 MEDIUM Tracker JS globals (ga, gtag, fbq, hj, etc.) return undefined post-reject
✗ FAIL

Tracker globals still defined after reject-all: ['google_tag_manager']

globaltype
google_tag_manager__defined_object__
Regulatory basis: ePrivacy Directive Art. 5(3) · GDPR Art. 25
Precedent: GDPR Article 25 mandates data protection by design with non-processing as the default state, requiring active prevention of tracking mechanisms post-rejection.
Recommendation: Disable Google Tag Manager initialization and ensure all tracking globals return undefined post-rejection to comply with data protection by design requirements.
H.2 Tracker globals not merely defined without values
ℹ INFO

See H.1 — same evidence applies.

globalpresent
google_tag_managerTrue
H.3 window.dataLayer absent or contains no tracking events post-reject
✓ PASS

dataLayer not present post-reject.

I. DOM / Source Inspection 0 FAIL   3 PASS   0 MANUAL
I.1 Tracker script tags have type=text/plain (CMP-blocked) in DOM post-reject
✓ PASS

All 0 tracker scripts correctly blocked in DOM post-reject.

I.2 Non-essential scripts blocked (type=text/plain)
✓ PASS

See I.1 — same check.

I.3 No tracker JS files in executed sources post-reject
✓ PASS

Based on DOM script inventory; full Sources tab verification requires Chrome DevTools protocol introspection (beyond current scope).

J. Safari-Specific Considerations 0 FAIL   1 PASS   2 MANUAL
J.1 ITP setting
☐ MANUAL

Requires manual browser configuration check.

J.2 ITP-off re-test
☐ MANUAL

Requires manual browser configuration check.

J.3 Server-side cookie-setting identified where ITP would block client-side
✓ PASS

No obvious ITP-bypass server-side cookies detected.

K. Consent Mechanism UX Compliance 1 FAIL   3 PASS   0 MANUAL
K.1 Reject All at same prominence and level as Accept All
✓ PASS

Reject All available at first screen at same level as Accept All.

accept_visible_at_first_screenreject_visible_at_first_screenreject_requires_extra_layeraccept_button_textreject_button_text
TrueTrueFalseAccept allReject all and subscribe
K.2 👁 AI Non-essential categories default to OFF
UNCLEAR

Cannot assess default toggle states for non-essential categories as the screenshots only show the initial consent layer and post-decision pages, not the detailed preferences panel

ai_evidence
No privacy manager/manage panel screenshot available showing individual category toggles
K.3 HIGH👁 AI⚖ Alt. model No dark patterns in consent banner (colour, visual hierarchy)
✗ FAIL

This constitutes a dark pattern as it makes rejecting cookies appear to have additional consequences (subscription requirement) compared to the simple 'Accept all' option, potentially steering users toward acceptance

ai_evidence
Reject button labeled 'Reject all and subscribe' creates confusion by bundling rejection with subscription, making the reject path appear more complex and costly
Regulatory basis: GDPR Art. 5(1)(a) · GDPR Art. 6(1)(a)
Precedent: CJEU Orange România (C-61/19) established that consent must be genuinely free with no bundling of services or detriment for refusal.
Recommendation: Implement clear separation between cookie rejection and subscription choices to avoid bundling that undermines consent freedom per Orange România requirements.
K.5 Persistent consent withdrawal mechanism accessible after interaction
✓ PASS

Persistent consent widget found: '(consent widget)'

foundtextin_iframe
True(consent widget)False
K.6 Site fully accessible after declining consent (no cookie wall)
✓ PASS

Site content accessible after declining consent.

accessible
True
L. Consent State Persistence 0 FAIL   2 PASS   0 MANUAL
L.2 Consent choice respected on second tab (same session)
✓ PASS

Consent preference correctly persisted to second tab.

consent_cookie_foundad_cookies_foundtcf_availabletcf_display_status
TrueFalseTrueNone
L.3 Declined state maintained after closing and reopening (simulate new session)
✓ PASS

No advertising cookies found on simulated return visit.

ad_cookies_on_returntotal_cookies
False10
Additional Findings 0 FAIL   3 PASS   0 MANUAL
ADD.1 Persistent identifier bridging across consent states
✓ PASS

No persistent cross-phase identifiers detected in POST bodies.

ADD.2 TCF consent string analysis (all phases)
ℹ INFO

No TCF consent strings detected in query parameters.

phasedomaintimestampsummaryis_reject_allis_accept_allcmptcf_policy_versionpurpose_consentsli_claimsdecode_error
post_acceptcm.g.doubleclick.net2026-03-31T19:40:44Accept-all (purposes 1–10 consented, CMP: Unknown CMP (ID 112))FalseTrueUnknown CMP (ID 112)5All 10 core purposes CONSENTED[2, 7, 8, 9, 10, 11]None
ADD.3 Session ID bridging across consent and rejection phases
✓ PASS

No session ID bridging detected across consent states.

ADD.4 Persistent vendor userIds transmitted after reject-all
✓ PASS

No persistent vendor userIds detected in post-reject requests.

Test Details 0 FAIL   0 PASS   0 MANUAL
META Site URL, test date, CMP platform
ℹ INFO

CMP identified as: Sourcepoint CMP

urltest_datetest_time_utccmp_detectedtotal_requestsphases_detectedphase_strategy
Latest news, sport and opinion from the Guardian2026-03-312026-03-31T19:40:48Sourcepoint CMP379['pre_consent', 'post_reject']{'accept': 'not_detected', 'reject': 'timestamp_hint'}
Component 3 — AI analysis via claude-sonnet-4-20250514  ·  ← Home