ePrivacy / GDPR Compliance Report · ePrivacy/GDPR (EU)

Consent Compliance Report

2026-04-08 07:04:57 UTC · https://www.waivern.com · CMP: Cookiebot 🤖 AI on

📍 Analysis ran from: 🇳🇱 Amsterdam, North Holland, The Netherlands · IP: 208.77.244.106 · Railway · Results reflect how this site presents to this location.

9 FAIL · 25 PASS · 5 MANUAL

CMP Interaction

Banner detected	True
Accept button	Allow all cookies
Reject button	Accept only strictly necessary cookies
Clicks to accept / reject	1 / 1
Reject buried in manage panel	False

There’s more to GDPR compliance than cookies

This tool checks your site’s compliance with the ePrivacy Directive’s cookie consent requirements — but GDPR places many additional obligations on organisations that collect personal data. Lawful basis assessments, privacy notices, data subject rights procedures, and data processor agreements are just a few of the areas this tool cannot evaluate.

If you’d like a fuller picture of your compliance position, Waivern combines automated scanning tools like this one with experienced privacy and legal professionals who can assess your entire data protection programme. Our ongoing compliance support starts from just £200/month (ex. VAT) — straightforward, predictable pricing with no surprises.

Get in touch →

Screenshots

Pre-Consent — initial page load

Post Accept All — consent baseline

Post Reject All — compliance state

Section M — Summary

Category	Result
Pre Consent Clean	✗ FAIL
No Tracking Cookies Pre Consent	✓ PASS
Tracker Globals Undefined	✗ FAIL
No Tracking Storage Pre Consent	✓ PASS
Network Blocked After Decline	✗ FAIL
Third Party Cookies Absent	⚠ PARTIAL
Doc Cookie Clean Post Reject	✓ PASS
Web Storage Clean Post Reject	✓ PASS
First Party Cookies Classified	ℹ INFO
Server Side Cookies Gated	✓ PASS
No Cname Cloaking	☐ MANUAL
Tracker Globals Absent	✗ FAIL
Dom Scripts Blocked	✓ PASS
Reject Equals Accept Clicks	✓ PASS
No Preticked Boxes	☐ MANUAL
Persistent Withdrawal Widget	✗ FAIL
No Cookie Wall	✓ PASS
Consent Persists	✓ PASS

Run Log 74 entries · ⚠ 2 warning(s) · raw JSON

elapsed	level	session	message
0.0s	▶ STEP	MAIN	Run 906d000f started {"url": "https://www.waivern.com"}
0.0s	· INFO	MAIN	Detecting probe server location
0.2s	· INFO	MAIN	Probe location {"ip": "208.77.244.106", "city": "Amsterdam", "region": "North Holland", "country": "The Netherlands", "country_code": "NL", "org": "Railway", "latitude": 52.37403, "longitude": 4.88969}
0.2s	▶ STEP	MAIN	Starting analysis of https://www.waivern.com {"mode": "GDPR"}
0.9s	· INFO	MAIN	Chromium launched {"headless": true}
1.0s	· INFO	PREFLIGHT	Navigating to https://www.waivern.com
3.7s	· INFO	PREFLIGHT	Network idle reached
3.8s	▶ STEP	A	Session A start (accept path)
3.8s	· INFO	A	Navigating to https://www.waivern.com
5.1s	· INFO	A	Network idle reached
7.1s	· INFO	A	Capturing pre-consent state
7.3s	· INFO	A	Pre-consent state captured {"pre_consent_cookies": 0, "pre_consent_ad_cookies": 0, "pre_consent_tracking_storage": 0, "pre_consent_tracker_globals": ["gtag", "dataLayer", "google_tag_manager"], "pre_consent_unblocked_scripts": 0, "pre_consent_capture_error": null}
38.1s	· INFO	A	Banner: found
38.3s	· INFO	A	Accept All interaction {"cmp": "Cookiebot", "button_text": "Allow all cookies", "clicked": true, "in_iframe": false, "error": null}
40.3s	· INFO	A	Capturing post-accept baseline state
40.4s	· INFO	A	Baseline captured {"baseline_cookies": 1, "baseline_ad_cookies": 0, "baseline_tracking_storage": 0, "baseline_tracker_globals": ["gtag", "dataLayer", "google_tag_manager"], "baseline_unblocked_scripts": 0, "baseline_capture_error": null}
40.7s	· INFO	A	Context closed, HAR saved
40.7s	▶ STEP	A	Session A complete {"pre_consent_cookies": 0, "pre_consent_ad_cookies": 0, "pre_consent_tracking_storage": 0, "pre_consent_tracker_globals": ["gtag", "dataLayer", "google_tag_manager"], "pre_consent_unblocked_scripts": 0, "pre_consent_capture_error": null, "baseline_cookies": 1, "baseline_ad_cookies": 0, "baseline_tracking_storage": 0, "baseline_tracker_globals": ["gtag", "dataLayer", "google_tag_manager"], "baselin
40.7s	▶ STEP	B	Session B start (reject path)
40.7s	· INFO	B	Navigating to https://www.waivern.com
42.1s	· INFO	B	Network idle reached
44.1s	· INFO	B	Capturing pre-consent state
44.2s	· INFO	B	Pre-consent B captured {"pre_consent_B_cookies": 0, "pre_consent_B_ad_cookies": 0, "pre_consent_B_tracking_storage": 0, "pre_consent_B_tracker_globals": ["gtag", "dataLayer", "google_tag_manager"], "pre_consent_B_unblocked_scripts": 0, "pre_consent_B_capture_error": null}
74.2s	· INFO	B	Banner: found
94.8s	· INFO	B	Click symmetry measured {"accept_clicks": 1, "reject_clicks": 0}
95.0s	· INFO	B	Reject All interaction {"cmp": "Cookiebot", "button_text": "Accept only strictly necessary cookies", "clicked": true, "clicks_required": 1, "required_manage_panel": false, "panel_navigated": false, "panel_new_frames": 0, "panel_wait_s": 0.0, "error": null}
97.0s	· INFO	B	Site accessible after reject: True
97.0s	· INFO	B	Capturing post-reject state
97.2s	· INFO	B	Post-reject captured {"post_reject_cookies": 1, "post_reject_ad_cookies": 0, "post_reject_tracking_storage": 0, "post_reject_tracker_globals": ["gtag", "dataLayer", "google_tag_manager"], "post_reject_unblocked_scripts": 0, "post_reject_capture_error": null}
106.6s	· INFO	B	Persistent widget check {"found": false, "text": "", "in_iframe": false}
106.6s	· INFO	B	Capturing subpages
111.0s	· INFO	B	2 subpage(s) captured {"urls": ["https://www.waivern.com/", "https://www.waivern.com/pricing"], "errors": []}
111.6s	· INFO	B	Context closed, HAR saved
111.6s	· INFO	B	Checking pre-ticked toggles (separate session)
111.6s	· INFO	B	Navigating to https://www.waivern.com
113.1s	· INFO	B	Network idle reached
158.9s	⚠ WARN	B	Manage/preferences button not visible after 5s wait — toggle check may return 0 results
159.9s	· INFO	B	Pre-ticked toggles: 0 found {"toggles": {}}
159.9s	⚠ WARN	B	Toggle check returned 0 results — diagnostics: {"manage_button_found": false, "manage_button_text": null, "frames_scanned": [], "total_elements_found": 0, "note": "Manage/preferences button not found on page"}
159.9s	▶ STEP	B	Session B complete {"post_reject_cookies": 1, "post_reject_ad_cookies": 0, "post_reject_tracking_storage": 0, "post_reject_tracker_globals": ["gtag", "dataLayer", "google_tag_manager"], "post_reject_unblocked_scripts": 0, "post_reject_capture_error": null, "accept_clicks": 1, "reject_clicks": 1, "reject_at_first_screen": true, "subpages_captured": 2}
159.9s	▶ STEP	C	Session C start (persistence check)
159.9s	· INFO	C	Navigating to https://www.waivern.com
161.3s	· INFO	C	Network idle reached
193.4s	· INFO	C	Reject for persistence test {"clicked": true, "error": null}
195.5s	· INFO	C	Opening second tab (same-session test)
195.5s	· INFO	C	Navigating to https://www.waivern.com
197.0s	· INFO	C	Network idle reached
199.0s	· INFO	C	Same-session state captured {"persistence_1_cookies": 1, "persistence_1_ad_cookies": 0, "persistence_1_tracking_storage": 0, "persistence_1_tracker_globals": ["gtag", "dataLayer", "google_tag_manager"], "persistence_1_unblocked_scripts": 0, "persistence_1_capture_error": null}
199.1s	· INFO	C	Storage state saved, opening new context
199.2s	· INFO	C	Navigating to https://www.waivern.com
200.4s	· INFO	C	Network idle reached
202.4s	· INFO	C	New-session state captured {"persistence_2_cookies": 1, "persistence_2_ad_cookies": 0, "persistence_2_tracking_storage": 0, "persistence_2_tracker_globals": ["gtag", "dataLayer", "google_tag_manager"], "persistence_2_unblocked_scripts": 0, "persistence_2_capture_error": null}
202.4s	▶ STEP	C	Session C complete {"persistence_1_captured": true, "persistence_2_captured": true}
202.4s	▶ STEP	POLICY_RENDER	Rendering cookie policy page in browser
202.7s	· INFO	POLICY_RENDER	Navigating to policy: https://www.waivern.com/cookie-policy
210.5s	· INFO	POLICY_RENDER	Extracted 1262 chars from policy page
210.5s	· INFO	POLICY_RENDER	Policy page rendered (1262 chars)
210.5s	· INFO	MAIN	Browser closed
210.5s	▶ STEP	DNS	Running CNAME cloaking checks
210.5s	· INFO	DNS	Apex domain: waivern.com (from hostname: www.waivern.com)
210.7s	· INFO	DNS	Checking 0 subdomain(s) {"subdomains": []}
210.7s	· INFO	DNS	No first-party subdomains to check
210.7s	▶ STEP	POLICY	Fetching cookie policy
210.7s	· INFO	POLICY	Policy found at https://www.waivern.com/cookie-policy
210.7s	· INFO	POLICY	Fetching policy, cross-referencing 1 cookie(s)
216.3s	· INFO	POLICY	Policy fetch OK {"declared": 14, "undeclared_observed": 0, "ai_used": true}
216.3s	▶ STEP	MAIN	Analysis complete {"error_count": 0}
216.3s	▶ STEP	C1	Running Component 1 HAR analysis
216.4s	· INFO	C1	Phase hint timestamps passed to HAR analyser {"reject_click": "2026-04-08T07:02:55"}
216.4s	· INFO	C1	HAR analysis complete — 3 FAIL item(s) {"total_requests": 193, "phases": ["pre_consent", "post_reject"], "phase_strategy": {"accept": "not_detected", "reject": "timestamp_hint"}, "fail_items": ["B.1", "E.1", "E.3"]}
216.5s	· INFO	C1	Running C1 on accept-path HAR for C.2/C.3 baseline
216.5s	· INFO	C1	Accept-HAR promoted 2 item(s): ['C.2', 'C.3'] {"phases": ["pre_consent", "post_accept"]}
216.5s	▶ STEP	CHECKS	Running browser-state checks
216.5s	· INFO	CHECKS	Browser checks complete — 5 FAIL item(s) {"fail_items": ["B.3", "E.4", "H.1", "H.3", "K.5"], "mode": "gdpr"}

Detailed Findings

B. Pre-Consent State 2 FAIL 3 PASS 0 MANUAL

B.1 No tracking requests before consent banner interaction

✗ FAIL

1 tracking domain(s) made requests before any consent signal was recorded.

domain	vendor	category	request_count	first_request_time	example_url
region1.google-analytics.com	Google Analytics	ANALYTICS	1	2026-04-08T07:02:38	https://region1.google-analytics.com/g/collect?v=2&tid=G-SNNESL7MGP>m=45je6461h1v9231223469za200zd9231223469&_p=177563

Recommendation: Third-party analytics and advertising scripts must not be loaded until after affirmative consent. Implement a consent-gate that defers all non-essential script initialisation until the TCF API reports a positive consent decision.

B.2 No analytics/marketing cookies in Storage pre-consent

✓ PASS

No advertising cookies found in Storage before consent.

B.3 JS tracker globals return undefined pre-consent

✗ FAIL

Tracker globals defined before consent: ['gtag', 'google_tag_manager']

global	type
gtag	function
google_tag_manager	__defined_object__

Recommendation: Tracker initialisation scripts must not execute before consent. Implement a consent gate that loads tracker SDKs only after the TCF API confirms a positive decision.

B.4 No tracking identifiers in localStorage/sessionStorage pre-consent

✓ PASS

No tracking keys found in web storage pre-consent.

B.5 Non-essential scripts have type=text/plain (CMP-blocked) in DOM

✓ PASS

All tracking scripts in DOM appear to be CMP-blocked (type=text/plain) or absent.

C. Baseline Capture 0 PASS 0 MANUAL

C.2 Inventory of third-party tracking domains active after Accept All

ℹ INFO

0 tracking domains active after consent-all (baseline).

C.3 Full cookie inventory (with expiry, HttpOnly, Secure, SameSite) after Accept All

ℹ INFO

1 cookies in storage after Accept All (full metadata).

name	domain	expires_days	http_only	secure	same_site	classification
CookieConsent	www.waivern.com	365.0	False	True	Lax	ESSENTIAL

C.4 Tracker JS globals active after Accept All (baseline)

ℹ INFO

Globals defined after consent: ['gtag', 'dataLayer', 'google_tag_manager']

global	type
gtag	function
dataLayer	__defined_object__
google_tag_manager	__defined_object__

D. Decline Non-Essential Consent 1 PASS 0 MANUAL

D.4 Reject requires no more clicks than Accept (EDPB symmetry)

✓ PASS

Accept and Reject both require 1 click(s). Symmetric.

accept_clicks	reject_clicks	extra_clicks_to_reject	reject_required_manage_panel
1	1	0	False

E. Network Request Verification 3 FAIL 1 PASS 0 MANUAL

E.1 No requests to non-essential third-party domains after reject-all

✗ FAIL

1 tracking domain(s) continued firing after reject-all.

domain	vendor	category	request_count	in_baseline	first_seen	example_url
region1.google-analytics.com	Google Analytics	ANALYTICS	2	False	2026-04-08T07:03:07	https://region1.google-analytics.com/g/collect?v=2&tid=G-SNNESL7MGP>m=45je6461h1v9231223469za200zd9231223469&_p=177563

Recommendation: Ensure Prebid.js, Google Publisher Tags, and all analytics SDKs are gated behind a TCF consent check. Use the __tcfapi('addEventListener') callback and only initialise bidders when gdprApplies=true and purpose consents are granted.

E.2 No tracker JS libraries loaded after reject-all

✓ PASS

No tracker scripts observed post-reject.

E.3 No tracking pixels or beacons fired after reject-all

✗ FAIL

2 tracking pixel/beacon call(s) post-reject.

url	vendor	category	timestamp
https://region1.google-analytics.com/g/collect?v=2&tid=G-SNNESL7MGP>m=45je6461h1v9231223469za200zd9231223469&_p=177563	Google Analytics	ANALYTICS	2026-04-08T07:03:07
https://region1.google-analytics.com/g/collect?v=2&tid=G-SNNESL7MGP>m=45je6461h1v9231223469za200zd9231223469&_p=177563	Google Analytics	ANALYTICS	2026-04-08T07:03:09

E.4 No tracking activity on subpages after reject-all

✗ FAIL

Tracking activity detected on 2 subpage(s) after reject.

page	global	phase
https://www.waivern.com/	gtag	subpage_1
https://www.waivern.com/	google_tag_manager	subpage_1
https://www.waivern.com/pricing	gtag	subpage_2
https://www.waivern.com/pricing	google_tag_manager	subpage_2

F. Cookie Verification (Third-Party) 1 FAIL 2 PASS 0 MANUAL

F.1 No analytics/marketing cookies present after reject-all

⚠ PARTIAL

No advertising cookies seen in request headers post-reject. Verify Storage tab with Component 2 for full confirmation.

F.2 document.cookie contains only essential cookies post-reject

✓ PASS

No advertising cookies visible in document.cookie post-reject.

doc_cookie_snippet
CookieConsent={stamp:%27GH2QzZvz0aBPVT+BzCVTTHH7iUXLPSPkwhjByw+m3L7OFk9BOmMNWw==%27%2Cnecessary:true%2Cpreferences:false%2Cstatistics:false%2Cmarketing:false%2Cmethod:%27explicit%27%2Cver:1%2Cutc:1775631775910%2Cregion:%27nl%27}

F.3 No tracking identifiers in web storage post-reject

✓ PASS

No tracking identifiers found in localStorage/sessionStorage post-reject.

G. First-Party Cookie Classification 7 PASS 1 MANUAL

G.1 Complete first-party cookie inventory with full metadata

ℹ INFO

1 first-party cookies in Storage after Accept All.

name	domain	expires_days	http_only	secure	same_site	classification
CookieConsent	www.waivern.com	365.0	False	True	Lax	ESSENTIAL

G.2 All observed cookies declared in cookie policy

✓ PASS

Cookie policy fetched from https://www.waivern.com/cookie-policy. 14 declared cookies found.

G.3 Strictly necessary two-part test (AI-assisted)

✓ PASS

AI analysis: 0 cookie(s) fail the strictly-necessary test and should be absent after reject-all. Summary: One cookie observed (CookieConsent) which appears to be a consent management cookie. While not explicitly declared in the cookie policy, this type of cookie is typically considered strictly necessary for legal compliance and remembering user consent preferences. The cookie policy appears to be generic/template content with fragmented declarations that don't properly list actual cookies used on the site.

cookie_name	declared	category	strictly_necessary_test	should_be_absent_post_reject	notes
CookieConsent	False	strictly_necessary	exempt	False	Cookie consent management cookie is typically strictly necessary to remember user's consent choices and comply with legal requirements. Not explicitly declared in the policy but serves essential legal compliance function.

G.4 Server-side analytics/ad cookies identified in Set-Cookie headers

✓ PASS

No advertising cookies observed in Set-Cookie response headers.

G.5 CNAME cloaking check (subdomains observed — DNS resolution requires Component 2)

☐ MANUAL

Found 0 first-party subdomains. Run 'dig CNAME ' against each to check for third-party infrastructure. Full automation available in Component 2.

G.6 Non-essential first-party cookies absent after reject-all

✓ PASS

All advertising cookies absent from Storage post-reject.

G.7 No non-essential Set-Cookie headers after reject-all

✓ PASS

No non-essential Set-Cookie headers observed post-reject.

G.8 Cookie lifetime analysis (ITP bypass detection)

✓ PASS

No obvious ITP bypass patterns in Set-Cookie headers.

G.9 No tracking keys in first-party localStorage/sessionStorage post-reject

✓ PASS

No tracking identifiers found in first-party web storage post-reject.

H. JS Global Object Verification 2 FAIL 0 PASS 0 MANUAL

H.1 Tracker JS globals (ga, gtag, fbq, hj, etc.) return undefined post-reject

✗ FAIL

Tracker globals still defined after reject-all: ['gtag', 'google_tag_manager']

global	type
gtag	function
google_tag_manager	__defined_object__

H.2 Tracker globals not merely defined without values

ℹ INFO

See H.1 — same evidence applies.

global	present
gtag	True
google_tag_manager	True

H.3 window.dataLayer absent or contains no tracking events post-reject

✗ FAIL

dataLayer contains 1 tracking event(s): ['gtm.dom']

event
gtm.dom
gtm.load
gtm.scrollDepth
cookie_consent_update

I. DOM / Source Inspection 3 PASS 0 MANUAL

I.1 Tracker script tags have type=text/plain (CMP-blocked) in DOM post-reject

✓ PASS

All 0 tracker scripts correctly blocked in DOM post-reject.

I.2 Non-essential scripts blocked (type=text/plain)

✓ PASS

See I.1 — same check.

I.3 No tracker JS files in executed sources post-reject

✓ PASS

Based on DOM script inventory; full Sources tab verification requires Chrome DevTools protocol introspection (beyond current scope).

J. Safari-Specific Considerations 1 PASS 2 MANUAL

J.1 ITP setting

☐ MANUAL

Requires manual browser configuration check.

J.2 ITP-off re-test

☐ MANUAL

Requires manual browser configuration check.

J.3 Server-side cookie-setting identified where ITP would block client-side

✓ PASS

No obvious ITP-bypass server-side cookies detected.

K. Consent Mechanism UX Compliance 1 FAIL 2 PASS 2 MANUAL

K.1 Reject All at same prominence and level as Accept All

✓ PASS

Reject All available at first screen at same level as Accept All.

accept_visible_at_first_screen	reject_visible_at_first_screen	reject_requires_extra_layer	accept_button_text	reject_button_text
True	True	False	Allow all cookies	Accept only strictly necessary cookies

K.2 Non-essential categories default to OFF

☐ MANUAL

Could not open preferences panel to check toggles.

K.3 No dark patterns in consent banner (colour, visual hierarchy)

☐ MANUAL

DOM-level button detection completed. Full visual assessment of colour contrast, typography prominence, and deceptive visual hierarchy requires screenshot review. See screenshots in report.

K.5 Persistent consent withdrawal mechanism accessible after interaction

✗ FAIL

No persistent consent widget found. Users cannot easily withdraw consent.

found	text	in_iframe
False		False

Recommendation: Provide a persistent mechanism for users to re-open consent preferences (floating privacy icon, footer link, or settings page). GDPR Art. 7(3) requires withdrawal to be as easy as giving consent.

K.6 Site fully accessible after declining consent (no cookie wall)

✓ PASS

Site content accessible after declining consent.

accessible
True

L. Consent State Persistence 2 PASS 0 MANUAL

L.2 Consent choice respected on second tab (same session)

✓ PASS

Consent preference correctly persisted to second tab.

consent_cookie_found	ad_cookies_found	tcf_available	tcf_display_status
True	False	False	None

L.3 Declined state maintained after closing and reopening (simulate new session)

✓ PASS

No advertising cookies found on simulated return visit.

ad_cookies_on_return	total_cookies
False	1

Additional Findings 3 PASS 0 MANUAL

ADD.1 Persistent identifier bridging across consent states

✓ PASS

No persistent cross-phase identifiers detected in POST bodies.

ADD.2 TCF consent string analysis (all phases)

ℹ INFO

No TCF consent strings detected in query parameters.

ADD.3 Session ID bridging across consent and rejection phases

✓ PASS

No session ID bridging detected across consent states.

ADD.4 Persistent vendor userIds transmitted after reject-all

✓ PASS

No persistent vendor userIds detected in post-reject requests.

Test Details 0 PASS 0 MANUAL

META Site URL, test date, CMP platform

ℹ INFO

CMP identified as: Cookiebot

url	test_date	test_time_utc	cmp_detected	total_requests	phases_detected	phase_strategy
Pricing \| Waivern Ltd	2026-04-08	2026-04-08T07:02:01	Cookiebot	193	['pre_consent', 'post_reject']	{'accept': 'not_detected', 'reject': 'timestamp_hint'}

run_id: 906d000f · raw log · ⬇ report JSON · all runs · ← Home

🤖 AI-Enhanced Analysis

Add regulatory citations, risk ratings, enforcement precedents, and a remediation roadmap using Claude AI. Results are cached — generation only runs once per report.