AI-Enhanced Compliance Report

https://www.waivern.com · CMP: Cookiebot 🤖 AI analysis active

After Reject All (post-rejection state)

10 FAIL 25 PASS 3 MANUAL

Consent State Screenshots — assessed by AI for K.1/K.2/K.3

Layer 1 — Initial banner (before interaction)

Layer 2 — After Accept All (consent baseline)

After Reject All (post-rejection state)

AI Executive Summary

Overall Risk: HIGH

Waivern.com shows significant GDPR and ePrivacy compliance violations including pre-consent tracking, continued processing after consent withdrawal, and inadequate consent mechanisms. The site initiates tracking requests and defines Google Analytics/GTM globals before user consent, violating the ePrivacy Directive's requirement for prior consent. Post-rejection tracking continues across multiple domains and subpages, breaching GDPR consent withdrawal requirements. The absence of a persistent consent withdrawal mechanism and misleading button language ('Accept only strictly necessary') constitute dark patterns prohibited under recent EDPB guidance.

Remediation Roadmap

Implement consent-gated loading to prevent all tracking before user interaction (high) — Addresses fundamental ePrivacy violation and reduces regulatory exposure significantly
Deploy persistent consent management widget for ongoing user control (medium) — Ensures GDPR Article 7(3) compliance and user empowerment throughout site experience
Fix post-rejection tracking across all domains and subpages (high) — Critical for consent withdrawal effectiveness and user trust maintenance
Clean up technical tracking remnants (globals, dataLayer events) (medium) — Prevents inadvertent data collection and strengthens technical compliance posture
Revise consent banner language to eliminate dark patterns (low) — Improves transparency and reduces risk of deceptive design enforcement action

Detailed Findings

🤖 = AI-assessed · 👁 = Vision (screenshot) · HIGH MEDIUM LOW = risk level from legal analysis

B. Pre-Consent State 2 FAIL 3 PASS 0 MANUAL

B.1 HIGH No tracking requests before consent banner interaction

✗ FAIL

1 tracking domain(s) made requests before any consent signal was recorded.

domain: region1.google-analytics.com · vendor: Google Analytics · category: ANALYTICS · request count: 1 · first request time: 2026-04-08T07:02:38 · example url: https://region1.google-analytics.com/g/collect?v=2&tid=G-SNNESL7MGP>m=45je6461h1v9231223469za200zd9231223469&_p=177563

Regulatory basis: ePrivacy Directive Art. 5(3) · GDPR Art. 6(1)(a)
Precedent: EDPB Guidelines 2/2023 confirm analytics tracking requires prior consent regardless of first/third-party distinction.

Recommendation: Prevent all non-essential tracking requests until explicit user consent is obtained through the consent banner.

B.2 No analytics/marketing cookies in Storage pre-consent

✓ PASS

No advertising cookies found in Storage before consent.

B.3 HIGH JS tracker globals return undefined pre-consent

✗ FAIL

Tracker globals defined before consent: ['gtag', 'google_tag_manager']

global	type
gtag	function
google_tag_manager	__defined_object__

Regulatory basis: ePrivacy Directive Art. 5(3) · GDPR Art. 25
Precedent: GDPR Art. 25 requires non-processing as the default state, violated when tracking globals are pre-loaded.

Recommendation: Implement conditional loading of tracking scripts only after positive consent to ensure data protection by design.

B.4 No tracking identifiers in localStorage/sessionStorage pre-consent

✓ PASS

No tracking keys found in web storage pre-consent.

B.5 Non-essential scripts have type=text/plain (CMP-blocked) in DOM

✓ PASS

All tracking scripts in DOM appear to be CMP-blocked (type=text/plain) or absent.

C. Baseline Capture 0 FAIL 0 PASS 0 MANUAL

C.2 Inventory of third-party tracking domains active after Accept All

ℹ INFO

0 tracking domains active after consent-all (baseline).

C.3 Full cookie inventory (with expiry, HttpOnly, Secure, SameSite) after Accept All

ℹ INFO

1 cookies in storage after Accept All (full metadata).

name: CookieConsent · domain: www.waivern.com · expires days: 365.0 · http only: False · secure: True · same site: Lax · classification: ESSENTIAL

C.4 Tracker JS globals active after Accept All (baseline)

ℹ INFO

Globals defined after consent: ['gtag', 'dataLayer', 'google_tag_manager']

global	type
gtag	function
dataLayer	__defined_object__
google_tag_manager	__defined_object__

D. Decline Non-Essential Consent 0 FAIL 1 PASS 0 MANUAL

D.4 Reject requires no more clicks than Accept (EDPB symmetry)

✓ PASS

Accept and Reject both require 1 click(s). Symmetric.

accept clicks: 1 · reject clicks: 1 · extra clicks to reject: 0 · reject required manage panel: False

E. Network Request Verification 3 FAIL 1 PASS 0 MANUAL

E.1 HIGH No requests to non-essential third-party domains after reject-all

✗ FAIL

1 tracking domain(s) continued firing after reject-all.

domain: region1.google-analytics.com · vendor: Google Analytics · category: ANALYTICS · request count: 2 · in baseline: False · first seen: 2026-04-08T07:03:07 · example url: https://region1.google-analytics.com/g/collect?v=2&tid=G-SNNESL7MGP>m=45je6461h1v9231223469za200zd9231223469&_p=177563

Regulatory basis: GDPR Art. 7(3) · GDPR Art. 5(1)(a)
Precedent: GDPR Art. 7(3) mandates processing must cease immediately upon consent withdrawal.

Recommendation: Ensure all non-essential tracking ceases immediately upon consent rejection with no continued third-party requests.

E.2 No tracker JS libraries loaded after reject-all

✓ PASS

No tracker scripts observed post-reject.

E.3 HIGH No tracking pixels or beacons fired after reject-all

✗ FAIL

2 tracking pixel/beacon call(s) post-reject.

url	vendor	category	timestamp
https://region1.google-analytics.com/g/collect?v=2&tid=G-SNNESL7MGP>m=45je6461h1v9231223469za200zd9231223469&_p=177563	Google Analytics	ANALYTICS	2026-04-08T07:03:07
https://region1.google-analytics.com/g/collect?v=2&tid=G-SNNESL7MGP>m=45je6461h1v9231223469za200zd9231223469&_p=177563	Google Analytics	ANALYTICS	2026-04-08T07:03:09

Regulatory basis: GDPR Art. 7(3) · ePrivacy Directive Art. 5(3)
Precedent: EDPB Guidelines 05/2020 require consent withdrawal to be immediately effective across all processing activities.

Recommendation: Disable all tracking pixels and beacons when users reject non-essential cookies to respect consent withdrawal.

E.4 HIGH No tracking activity on subpages after reject-all

✗ FAIL

Tracking activity detected on 2 subpage(s) after reject.

page	global	phase
https://www.waivern.com/	gtag	subpage_1
https://www.waivern.com/	google_tag_manager	subpage_1
https://www.waivern.com/pricing	gtag	subpage_2
https://www.waivern.com/pricing	google_tag_manager	subpage_2

Regulatory basis: GDPR Art. 7(3) · GDPR Art. 5(1)(a)
Precedent: GDPR fairness principle violated when consent rejection fails to prevent tracking across user session.

Recommendation: Implement site-wide consent state management to prevent tracking on subsequent pages after rejection.

F. Cookie Verification (Third-Party) 0 FAIL 2 PASS 0 MANUAL

F.1 No analytics/marketing cookies present after reject-all

⚠ PARTIAL

No advertising cookies seen in request headers post-reject. Verify Storage tab with Component 2 for full confirmation.

F.2 document.cookie contains only essential cookies post-reject

✓ PASS

No advertising cookies visible in document.cookie post-reject.

doc cookie snippet: CookieConsent={stamp:%27GH2QzZvz0aBPVT+BzCVTTHH7iUXLPSPkwhjByw+m3L7OFk9BOmMNWw==%27%2Cnecessary:true%2Cpreferences:false%2Cstatistics:false%2Cmarketing:false%2Cmethod:%27explicit%27%2Cver:1%2Cutc:1775631775910%2Cregion:%27nl%27}

F.3 No tracking identifiers in web storage post-reject

✓ PASS

No tracking identifiers found in localStorage/sessionStorage post-reject.

G. First-Party Cookie Classification 0 FAIL 7 PASS 1 MANUAL

G.1 Complete first-party cookie inventory with full metadata

ℹ INFO

1 first-party cookies in Storage after Accept All.

name: CookieConsent · domain: www.waivern.com · expires days: 365.0 · http only: False · secure: True · same site: Lax · classification: ESSENTIAL

G.2 All observed cookies declared in cookie policy

✓ PASS

Cookie policy fetched from https://www.waivern.com/cookie-policy. 14 declared cookies found.

G.3 Strictly necessary two-part test (AI-assisted)

✓ PASS

AI analysis: 0 cookie(s) fail the strictly-necessary test and should be absent after reject-all. Summary: One cookie observed (CookieConsent) which appears to be a consent management cookie. While not explicitly declared in the cookie policy, this type of cookie is typically considered strictly necessary for legal compliance and remembering user consent preferences. The cookie policy appears to be generic/template content with fragmented declarations that don't properly list actual cookies used on the site.

cookie name: CookieConsent · declared: False · category: strictly_necessary · strictly necessary test: exempt · should be absent post reject: False · notes: Cookie consent management cookie is typically strictly necessary to remember user's consent choices and comply with legal requirements. Not explicitly declared in the policy but serves essential legal compliance function.

G.4 Server-side analytics/ad cookies identified in Set-Cookie headers

✓ PASS

No advertising cookies observed in Set-Cookie response headers.

G.5 CNAME cloaking check (subdomains observed — DNS resolution requires Component 2)

☐ MANUAL

Found 0 first-party subdomains. Run 'dig CNAME ' against each to check for third-party infrastructure. Full automation available in Component 2.

G.6 Non-essential first-party cookies absent after reject-all

✓ PASS

All advertising cookies absent from Storage post-reject.

G.7 No non-essential Set-Cookie headers after reject-all

✓ PASS

No non-essential Set-Cookie headers observed post-reject.

G.8 Cookie lifetime analysis (ITP bypass detection)

✓ PASS

No obvious ITP bypass patterns in Set-Cookie headers.

G.9 No tracking keys in first-party localStorage/sessionStorage post-reject

✓ PASS

No tracking identifiers found in first-party web storage post-reject.

H. JS Global Object Verification 2 FAIL 0 PASS 0 MANUAL

H.1 MEDIUM Tracker JS globals (ga, gtag, fbq, hj, etc.) return undefined post-reject

✗ FAIL

Tracker globals still defined after reject-all: ['gtag', 'google_tag_manager']

global	type
gtag	function
google_tag_manager	__defined_object__

Regulatory basis: GDPR Art. 7(3) · GDPR Art. 25
Precedent: Data protection by design requires removing processing capabilities when consent is withdrawn.

Recommendation: Remove or disable tracker global variables when consent is rejected to prevent inadvertent data collection.

H.2 Tracker globals not merely defined without values

ℹ INFO

See H.1 — same evidence applies.

global	present
gtag	True
google_tag_manager	True

H.3 MEDIUM window.dataLayer absent or contains no tracking events post-reject

✗ FAIL

dataLayer contains 1 tracking event(s): ['gtm.dom']

event
gtm.dom
gtm.load
gtm.scrollDepth
cookie_consent_update

Regulatory basis: GDPR Art. 7(3) · ePrivacy Directive Art. 5(3)
Precedent: EDPB Guidelines confirm dataLayer events constitute processing requiring valid consent basis.

Recommendation: Clear dataLayer of tracking events upon consent rejection to ensure no analytical data collection occurs.

I. DOM / Source Inspection 0 FAIL 3 PASS 0 MANUAL

I.1 Tracker script tags have type=text/plain (CMP-blocked) in DOM post-reject

✓ PASS

All 0 tracker scripts correctly blocked in DOM post-reject.

I.2 Non-essential scripts blocked (type=text/plain)

✓ PASS

See I.1 — same check.

I.3 No tracker JS files in executed sources post-reject

✓ PASS

Based on DOM script inventory; full Sources tab verification requires Chrome DevTools protocol introspection (beyond current scope).

J. Safari-Specific Considerations 0 FAIL 1 PASS 2 MANUAL

J.1 ITP setting

☐ MANUAL

Requires manual browser configuration check.

J.2 ITP-off re-test

☐ MANUAL

Requires manual browser configuration check.

J.3 Server-side cookie-setting identified where ITP would block client-side

✓ PASS

No obvious ITP-bypass server-side cookies detected.

K. Consent Mechanism UX Compliance 2 FAIL 2 PASS 0 MANUAL

K.1 Reject All at same prominence and level as Accept All

✓ PASS

Reject All available at first screen at same level as Accept All.

accept visible at first screen: True · reject visible at first screen: True · reject requires extra layer: False · accept button text: Allow all cookies · reject button text: Accept only strictly necessary cookies

K.2 👁 AI Non-essential categories default to OFF

UNCLEAR

Cannot assess default toggle states as no manage preferences interface is visible in the provided screenshots

ai evidence: No privacy manager/Layer 2 screenshot available showing category toggles or preferences panel

K.3 MEDIUM👁 AI No dark patterns in consent banner (colour, visual hierarchy)

✗ FAIL

Using 'Accept' language for the reject option is a dark pattern that could confuse users into thinking they are accepting something rather than rejecting non-essential cookies. Clear 'Reject' or 'Decline' language would be more transparent

ai evidence: The reject button is misleadingly labeled as 'Accept only strictly necessary cookies' which uses positive language ('Accept') instead of clear rejection language

Regulatory basis: GDPR Art. 5(1)(a) · GDPR Art. 6(1)(a)
Precedent: EDPB Cookie Banner Taskforce Report prohibits dark patterns and misleading design in consent interfaces.

Recommendation: Replace with clear 'Reject' or 'Decline' language to avoid confusion and ensure transparent choice presentation.

K.5 HIGH Persistent consent withdrawal mechanism accessible after interaction

✗ FAIL

No persistent consent widget found. Users cannot easily withdraw consent.

found: False · text: · in iframe: False

Regulatory basis: GDPR Art. 7(3) · GDPR Art. 12(2)
Precedent: EDPB Guidelines 05/2020 require consent withdrawal to be as easy as giving consent, necessitating persistent access.

Recommendation: Implement persistent consent management widget allowing users to easily modify cookie preferences at any time.

K.6 Site fully accessible after declining consent (no cookie wall)

✓ PASS

Site content accessible after declining consent.

accessible: True

L. Consent State Persistence 0 FAIL 2 PASS 0 MANUAL

L.2 Consent choice respected on second tab (same session)

✓ PASS

Consent preference correctly persisted to second tab.

consent cookie found: True · ad cookies found: False · tcf available: False · tcf display status: None

L.3 Declined state maintained after closing and reopening (simulate new session)

✓ PASS

No advertising cookies found on simulated return visit.

ad cookies on return: False · total cookies: 1

Additional Findings 0 FAIL 3 PASS 0 MANUAL

ADD.1 Persistent identifier bridging across consent states

✓ PASS

No persistent cross-phase identifiers detected in POST bodies.

ADD.2 TCF consent string analysis (all phases)

ℹ INFO

No TCF consent strings detected in query parameters.

ADD.3 Session ID bridging across consent and rejection phases

✓ PASS

No session ID bridging detected across consent states.

ADD.4 Persistent vendor userIds transmitted after reject-all

✓ PASS

No persistent vendor userIds detected in post-reject requests.

Test Details 0 FAIL 0 PASS 0 MANUAL

META Site URL, test date, CMP platform

ℹ INFO

CMP identified as: Cookiebot

url	Pricing \| Waivern Ltd
test date	2026-04-08
test time utc	2026-04-08T07:02:01
cmp detected	Cookiebot
total requests	193
phases detected	pre_consentpost_reject
phase strategy	{'accept': 'not_detected', 'reject': 'timestamp_hint'}

Component 3 — AI analysis via claude-sonnet-4-20250514 · ← Home