Waivern Consent Analyser
AI-Enhanced Compliance Report

AI-Enhanced Compliance Report

https://www.bbc.co.uk  ·  CMP: Sourcepoint   🤖 AI analysis active
After Reject All (post-rejection state)
17 FAIL   20 PASS   2 MANUAL

Consent State Screenshots — assessed by AI for K.1/K.2/K.3

Layer 1 — Initial banner (before interaction)
pre_consent
Layer 2 — After Accept All (consent baseline)
post_accept
After Reject All (post-rejection state)
post_reject

AI Executive Summary

Overall Risk: HIGH

The BBC website demonstrates significant GDPR and ePrivacy compliance failures across multiple areas. Pre-consent tracking violations show 2 tracking domains making requests before user interaction, with advertising cookies already present in storage. Post-reject violations are severe, with 13 tracking domains continuing to fire after users select 'reject all', tracker scripts remaining active, and advertising cookies persisting across sessions. The cookie policy lacks transparency with 33 undeclared cookies, and TCF consent strings are transmitted to ad vendors even in reject states. These findings represent systematic non-compliance with fundamental EU data protection requirements.

Remediation Roadmap

  1. Implement immediate blocking of all non-essential tracking requests and cookie setting when users select reject-all (high) — Addresses the most severe ongoing violations where user rejection choices are not technically implemented
  2. Configure consent management platform to prevent pre-consent tracking and cookie setting (medium) — Ensures compliance with fundamental requirement that no processing occurs before explicit consent
  3. Implement proper script blocking and disable tracking globals for rejected consent states (medium) — Prevents tracking scripts from executing and collecting data when consent is rejected
  4. Fix consent state persistence across tabs and sessions to respect user choices (low) — Ensures user consent decisions are properly maintained and respected across all interactions
  5. Update cookie policy documentation and prevent TCF string transmission for reject states (low) — Improves transparency and prevents unnecessary data processing in advertising ecosystem

Detailed Findings

🤖 = AI-assessed  ·  👁 = Vision (screenshot)  ·  HIGH MEDIUM LOW = risk level from legal analysis

B. Pre-Consent State 3 FAIL   2 PASS   0 MANUAL
B.1 HIGH No tracking requests before consent banner interaction
✗ FAIL

2 tracking domain(s) made requests before any consent signal was recorded.

domainvendorcategoryrequest_countfirst_request_timeexample_url
sb.scorecardresearch.comComscoreANALYTICS22026-04-01T23:29:36https://sb.scorecardresearch.com/beacon.js
pagead2.googlesyndication.comGoogle AdSense/GAMADVERTISING12026-04-01T23:29:38https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
Regulatory basis: ePrivacy Directive Art. 5(3) · GDPR Art. 6(1)(a) · GDPR Art. 25
Precedent: CJEU Planet49 ruling established that any processing before active consent violates ePrivacy requirements.
Recommendation: Implement technical measures to block all non-essential tracking requests until explicit user consent is obtained through the consent banner.
B.2 HIGH No analytics/marketing cookies in Storage pre-consent
✗ FAIL

1 advertising cookie(s) present in browser storage before any consent was given.

namedomainvalue_snippet
optimizelyEndUserId.bbc.comoeu1775086177131r0.5938044045327691
Regulatory basis: ePrivacy Directive Art. 5(3) · GDPR Art. 25
Precedent: EDPB Guidelines 2/2023 clarify that storage/access requires prior consent regardless of first/third-party distinction.
Recommendation: Configure consent management platform to prevent setting any non-essential cookies until user provides explicit consent.
B.3 MEDIUM JS tracker globals return undefined pre-consent
✗ FAIL

Tracker globals defined before consent: ['analytics']

globaltype
analytics__defined_object__
Regulatory basis: ePrivacy Directive Art. 5(3) · GDPR Art. 25
Precedent: EDPB Cookie Banner Taskforce Report emphasizes that any processing activity before consent violates data protection by design principles.
Recommendation: Delay initialization of tracking scripts until consent is obtained, ensuring tracker globals remain undefined pre-consent.
B.4 No tracking identifiers in localStorage/sessionStorage pre-consent
✓ PASS

No tracking keys found in web storage pre-consent.

B.5 Non-essential scripts have type=text/plain (CMP-blocked) in DOM
✓ PASS

All tracking scripts in DOM appear to be CMP-blocked (type=text/plain) or absent.

C. Baseline Capture 0 FAIL   0 PASS   0 MANUAL
C.2 Inventory of third-party tracking domains active after Accept All
ℹ INFO

13 tracking domains active after consent-all (baseline).

▶ Show all 13 rows
domainvendorcategoryfirst_seenexample_url
pub.doubleverify.comDoubleVerify (brand safety)MEASUREMENT2026-04-01T23:29:33https://pub.doubleverify.com/dvtag/signals/ids/pub.json?ctx=29028254&cmp=DV1298722&url=https%3A%2F%2Fbbc.com&ids=1&token
cm.g.doubleclick.netGoogle DoubleClickADVERTISING2026-04-01T23:29:33https://cm.g.doubleclick.net/partnerpixels?gdpr_consent=CQh-8AAQh-8AAAGABCENCYFgAP_gAEAAABpYIoQJAAFAAVAA4ACAAFQAMgAaAA5A
ep1.adtrafficquality.googleGoogle SODAR/IVTADVERTISING2026-04-01T23:29:33https://ep1.adtrafficquality.google/getconfig/sodar?sv=200&tid=gpt&tv=m202603240101&st=env&sjk=2769602542085824
securepubads.g.doubleclick.netGoogle Publisher AdsADVERTISING2026-04-01T23:29:33https://securepubads.g.doubleclick.net/gampad/ads?pvsid=2769602542085824&correlator=2690793528291442&eid=31097528%2C3109
11a4d851dcbbfa5f337830877cc0a539.safeframe.googlesyndication.comGoogle SafeFrame (viewability)MEASUREMENT2026-04-01T23:29:33https://11a4d851dcbbfa5f337830877cc0a539.safeframe.googlesyndication.com/safeframe/1-0-45/html/container.html
sb.scorecardresearch.comComscoreANALYTICS2026-04-01T23:29:33https://sb.scorecardresearch.com/internal-cs/default/beacon.js
ep2.adtrafficquality.googleGoogle SODAR/IVTADVERTISING2026-04-01T23:29:33https://ep2.adtrafficquality.google/sodar/sodar2.js
ib.adnxs.comXandr AppNexusADVERTISING2026-04-01T23:29:33https://ib.adnxs.com/getuidj?gdpr=1&gdpr_consent=CQh-8AAQh-8AAAGABCENCYFgAP_gAEAAABpYIoQJAAFAAVAA4ACAAFQAMgAaAA5AB6AEWAJ
pagead2.googlesyndication.comGoogle AdSense/GAMADVERTISING2026-04-01T23:29:33https://pagead2.googlesyndication.com/pagead/sodar?id=sodar2&v=253&li=gpt_m202603240101&jk=2769602542085824&rc=
cdn.doubleverify.comDoubleVerifyMEASUREMENT2026-04-01T23:29:33https://cdn.doubleverify.com/dvtp_src.js
tps.doubleverify.comDoubleVerify (brand safety)MEASUREMENT2026-04-01T23:29:34https://tps.doubleverify.com/visit.js?flvr=0&ttmms=77&ttfrms=27&bridua=3&tstype=2&eparams=DC4FC%3Dl9EEADTbpTauTauHHH%5D3
tps-dn-ew1.doubleverify.comDoubleVerify (brand safety)MEASUREMENT2026-04-01T23:29:34https://tps-dn-ew1.doubleverify.com/event.jpg?impid=8984bf1de8324c0799dc759ce184857a&consid=&api=1&rc=true
tpsc-ew1.doubleverify.comDoubleVerify (brand safety)MEASUREMENT2026-04-01T23:29:34https://tpsc-ew1.doubleverify.com/event.png?impid=8984bf1de8324c0799dc759ce184857a&flavor=0&gdpr=1&gdpr_consent=CQh-8AAQ
C.3 Full cookie inventory (with expiry, HttpOnly, Secure, SameSite) after Accept All
ℹ INFO

34 cookies in storage after Accept All (full metadata).

▶ Show all 34 rows
namedomainexpires_dayshttp_onlysecuresame_siteclassification
ckns_mvt.bbc.co.uk365.0FalseTrueLaxUNKNOWN
optimizelyEndUserId.bbc.com180.0FalseFalseLaxAD
optimizelySession.bbc.com180.0FalseFalseLaxESSENTIAL
ckns_mvt.bbc.com365.0FalseFalseLaxUNKNOWN
https://www.bbc.com_oeu1775086170103r0.7661490551611259$$27302320011$$session_statea4621041136.cdn.optimizely.com180.0FalseTrueNoneESSENTIAL
ckns_policy.bbc.com365.0FalseFalseLaxUNKNOWN
ckns_policy_exp.bbc.com365.0FalseFalseLaxUNKNOWN
ckns_explicit.bbc.com365.0FalseFalseLaxUNKNOWN
ckns_privacy.bbc.com365.0FalseFalseLaxUNKNOWN
_cb.bbc.com395.0FalseTrueLaxUNKNOWN
_chartbeat2.bbc.com395.0FalseTrueLaxUNKNOWN
_cb_svref.bbc.com0.0FalseTrueLaxUNKNOWN
_sp_su.bbc.com365.0FalseTrueNoneESSENTIAL
_pcid.bbc.com395.0FalseTrueLaxUNKNOWN
consentUUIDwww.bbc.com365.0FalseTrueNoneESSENTIAL
usnatUUID.bbc.com365.0FalseTrueNoneUNKNOWN
_pctx.bbc.com395.0FalseTrueLaxUNKNOWN
_pprv.bbc.com395.0FalseTrueLaxUNKNOWN
__tbc.bbc.com400.0FalseFalseLaxUNKNOWN
xbc.bbc.com400.0FalseFalseLaxUNKNOWN
_pcus.bbc.com395.0FalseTrueLaxUNKNOWN
cX_P.bbc.com395.0FalseTrueLaxUNKNOWN
permutive-id.bbc.com183.0FalseTrueNoneUNKNOWN
UID.scorecardresearch.com390.0FalseTrueNoneUNKNOWN
XID.scorecardresearch.com390.0FalseTrueNoneUNKNOWN
pxid.e488cdb0-e7cb-4d91-9648-60d437d8e491.prmutv.co91.0TrueTrueNoneUNKNOWN
cX_G.bbc.com395.0FalseTrueLaxUNKNOWN
__gads.bbc.com390.0FalseTrueNoneAD
__gpi.bbc.com390.0FalseTrueNoneAD
gckp.cxense.com365.0TrueTrueNoneUNKNOWN
__eoi.bbc.com180.0FalseTrueNoneAD
IDE.doubleclick.net390.0TrueTrueNoneAD
ckns_eds.www.bbc.com400.0FalseFalseLaxUNKNOWN
ecos.dt.www.bbc.comsessionFalseFalseLaxUNKNOWN
C.4 Tracker JS globals active after Accept All (baseline)
ℹ INFO

Globals defined after consent: ['analytics']

globaltype
analytics__defined_object__
D. Decline Non-Essential Consent 0 FAIL   1 PASS   0 MANUAL
D.4 Reject requires no more clicks than Accept (EDPB symmetry)
✓ PASS

Accept and Reject both require 1 click(s). Symmetric.

accept_clicksreject_clicksextra_clicks_to_rejectreject_required_manage_panel
110False
E. Network Request Verification 2 FAIL   2 PASS   0 MANUAL
E.1 HIGH No requests to non-essential third-party domains after reject-all
✗ FAIL

13 tracking domain(s) continued firing after reject-all.

▶ Show all 13 rows
domainvendorcategoryrequest_countin_baselinefirst_seenexample_url
pub.doubleverify.comDoubleVerify (brand safety)MEASUREMENT3False2026-04-01T23:29:54https://pub.doubleverify.com/dvtag/signals/ids/pub.json?ctx=29028254&cmp=DV1298722&url=https%3A%2F%2Fbbc.com&ids=1&token
sb.scorecardresearch.comComscoreANALYTICS2False2026-04-01T23:29:54https://sb.scorecardresearch.com/internal-cs/default/beacon.js
ep1.adtrafficquality.googleGoogle SODAR/IVTADVERTISING2False2026-04-01T23:29:54https://ep1.adtrafficquality.google/getconfig/sodar?sv=200&tid=gpt&tv=m202603240101&st=env&sjk=7252211227740584
pagead2.googlesyndication.comGoogle AdSense/GAMADVERTISING9False2026-04-01T23:29:54https://pagead2.googlesyndication.com/gampad/ads?pvsid=7252211227740584&correlator=22190794992333&eid=31097430&output=ld
a61e8b95a6c4b2cd4f071e5993f576fd.safeframe.googlesyndication.comGoogle SafeFrame (viewability)MEASUREMENT1False2026-04-01T23:29:54https://a61e8b95a6c4b2cd4f071e5993f576fd.safeframe.googlesyndication.com/safeframe/1-0-45/html/container.html
ep2.adtrafficquality.googleGoogle SODAR/IVTADVERTISING3False2026-04-01T23:29:54https://ep2.adtrafficquality.google/sodar/sodar2.js
cdn.doubleverify.comDoubleVerifyMEASUREMENT3False2026-04-01T23:29:54https://cdn.doubleverify.com/dvtp_src.js
tps.doubleverify.comDoubleVerify (brand safety)MEASUREMENT1False2026-04-01T23:29:55https://tps.doubleverify.com/visit.js?flvr=0&ttmms=65&ttfrms=24&bridua=3&tstype=2&eparams=DC4FC%3Dl9EEADTbpTauTauHHH%5D3
cm.g.doubleclick.netGoogle DoubleClickADVERTISING1False2026-04-01T23:29:55https://cm.g.doubleclick.net/pixel?google_nid=doubleverify_ddp&google_ula=7327243&google_hm=**&google_redir=https%3A%2F%
tps-dn-ew1.doubleverify.comDoubleVerify (brand safety)MEASUREMENT1False2026-04-01T23:29:55https://tps-dn-ew1.doubleverify.com/event.jpg?impid=a14d4c4ff7f64d70bab81daa83c788a4&consid=&api=1&rc=true
tpsc-ew1.doubleverify.comDoubleVerify (brand safety)MEASUREMENT3False2026-04-01T23:29:55https://tpsc-ew1.doubleverify.com/event.png?impid=a14d4c4ff7f64d70bab81daa83c788a4&flavor=0&gdpr=1&gdpr_consent=CQh-8AAQ
securepubads.g.doubleclick.netGoogle Publisher AdsADVERTISING1False2026-04-01T23:29:55https://securepubads.g.doubleclick.net/pagead/managed/dict/m202603310101/gpt
ib.adnxs.comXandr AppNexusADVERTISING1False2026-04-01T23:29:55https://ib.adnxs.com/setuid?entity=584&code=1f9f90df-bf7e-4d6b-b3f9-ef9f355fc015-tuct10c72ff3&gdpr=1&gdpr_consent=
Regulatory basis: GDPR Art. 7(3) · GDPR Art. 5(1)(a) · ePrivacy Directive Art. 5(3)
Precedent: GDPR Article 7(3) mandates that processing must cease immediately upon consent withdrawal, with EDPB emphasizing technical implementation requirements.
Recommendation: Immediately cease all tracking requests when users select reject-all, ensuring consent withdrawal is technically implemented across all third-party domains.
E.2 No tracker JS libraries loaded after reject-all
✓ PASS

No tracker scripts observed post-reject.

E.3 HIGH No tracking pixels or beacons fired after reject-all
✗ FAIL

13 tracking pixel/beacon call(s) post-reject.

▶ Show all 13 rows
urlvendorcategorytimestamp
https://sb.scorecardresearch.com/internal-cs/default/beacon.jsComscoreANALYTICS2026-04-01T23:29:54
https://ep1.adtrafficquality.google/getconfig/sodar?sv=200&tid=gpt&tv=m202603240101&st=env&sjk=7252211227740584Google SODAR/IVTADVERTISING2026-04-01T23:29:54
https://ep2.adtrafficquality.google/sodar/sodar2.jsGoogle SODAR/IVTADVERTISING2026-04-01T23:29:54
https://ep2.adtrafficquality.google/sodar/sodar2/253/runner.htmlGoogle SODAR/IVTADVERTISING2026-04-01T23:29:54
https://pagead2.googlesyndication.com/pcs/view?xai=AKAOjsu-8wsfxMQJLqNeWfjfa2SnlnqSKOLGKwgaPvoZHYgtwi1T59EclxzJycpeG8GbFGoogle AdSense/GAMADVERTISING2026-04-01T23:29:54
https://pagead2.googlesyndication.com/pagead/gen_204?id=av-js&type=colleague-executed&name=4Google AdSense/GAMADVERTISING2026-04-01T23:29:55
https://pagead2.googlesyndication.com/pagead/gen_204?id=av-js&type=reach&proto=CAlgAWgDGoogle AdSense/GAMADVERTISING2026-04-01T23:29:55
https://pagead2.googlesyndication.com/pcs/view?xai=AKAOjss4zSImb491lDGUAgemh_43iEIXXwi91NZsXa5Ns_InIlUPVWmvEsVryZbMtUqtxGoogle AdSense/GAMADVERTISING2026-04-01T23:29:55
https://cm.g.doubleclick.net/pixel?google_nid=doubleverify_ddp&google_ula=7327243&google_hm=**&google_redir=https%3A%2F%Google DoubleClickADVERTISING2026-04-01T23:29:55
https://ep2.adtrafficquality.google/generate_204?qGFJsQGoogle SODAR/IVTADVERTISING2026-04-01T23:29:55
https://pagead2.googlesyndication.com/pagead/ping?e=1Google AdSense/GAMADVERTISING2026-04-01T23:29:55
https://ep1.adtrafficquality.google/pagead/sodar?id=sodar2&v=253&t=2&li=gpt_m202603240101&jk=7252211227740584&bg=!OzilOFGoogle SODAR/IVTADVERTISING2026-04-01T23:29:55
https://pagead2.googlesyndication.com/pcs/activeview?xai=AKAOjsuFMdROxdrfpl2kIiXYDMqNnEd10PhYHZWylIUSQC8wM7qUof7avSRKa5WGoogle AdSense/GAMADVERTISING2026-04-01T23:29:56
Regulatory basis: GDPR Art. 7(3) · ePrivacy Directive Art. 5(3)
Precedent: EDPB Guidelines 05/2020 establish that any continued tracking after consent withdrawal constitutes a fundamental breach of consent requirements.
Recommendation: Block all tracking pixels and beacons when users reject consent, implementing technical controls to prevent post-rejection tracking activities.
E.4 No tracking activity on subpages after reject-all
✓ PASS

No tracker globals or tracking storage observed on 2 subpage(s).

F. Cookie Verification (Third-Party) 2 FAIL   1 PASS   0 MANUAL
F.1 HIGH No analytics/marketing cookies present after reject-all
✗ FAIL

1 advertising cookie(s) still being sent in request headers post-reject. Note: HAR does not capture full Storage tab state — use Component 2 for definitive Storage verification.

namedomainvalue_snippetfirst_seen
optimizelyEndUserIdgn-web-assets.api.bbc.comoeu1775086177131r0.59380440453276912026-04-01T23:29:54
Regulatory basis: GDPR Art. 7(3) · ePrivacy Directive Art. 5(3)
Precedent: CNIL enforcement against Google/Facebook established that continued cookie usage after rejection constitutes ongoing GDPR violation.
Recommendation: Configure systems to delete or block transmission of advertising cookies immediately upon consent rejection.
F.2 HIGH document.cookie contains only essential cookies post-reject
✗ FAIL

Advertising cookies in document.cookie post-reject: ['optimizelyEndUserId=oeu1775086177131r0.5938044045327691']

doc_cookie_snippet
optimizelyEndUserId=oeu1775086177131r0.5938044045327691; optimizelySession=1775086177143; ckns_mvt=fe33751a-c4f2-41de-a580-d515b67a64fb; ckns_policy=000; ckns_policy_exp=1775086177567; ckns_explicit=0; ckns_privacy=july2019; _cb=B9IVeiBox9epCnGC6z; _chartbeat2=.1775086177845.1775086177845.1.CqOl1ODB
Regulatory basis: GDPR Art. 7(3) · ePrivacy Directive Art. 5(3)
Precedent: EDPB Guidelines emphasize that consent withdrawal must result in immediate cessation of processing, including cookie deletion.
Recommendation: Implement technical deletion of all advertising cookies from document.cookie when users select reject-all option.
F.3 No tracking identifiers in web storage post-reject
✓ PASS

No tracking identifiers found in localStorage/sessionStorage post-reject.

G. First-Party Cookie Classification 3 FAIL   5 PASS   0 MANUAL
G.1 Complete first-party cookie inventory with full metadata
ℹ INFO

27 first-party cookies in Storage after Accept All.

▶ Show all 27 rows
namedomainexpires_dayshttp_onlysecuresame_siteclassification
optimizelyEndUserId.bbc.com180.0FalseFalseLaxAD
optimizelySession.bbc.com180.0FalseFalseLaxESSENTIAL
ckns_mvt.bbc.com365.0FalseFalseLaxUNKNOWN
ckns_policy.bbc.com365.0FalseFalseLaxUNKNOWN
ckns_policy_exp.bbc.com365.0FalseFalseLaxUNKNOWN
ckns_explicit.bbc.com365.0FalseFalseLaxUNKNOWN
ckns_privacy.bbc.com365.0FalseFalseLaxUNKNOWN
_cb.bbc.com395.0FalseTrueLaxUNKNOWN
_chartbeat2.bbc.com395.0FalseTrueLaxUNKNOWN
_cb_svref.bbc.com0.0FalseTrueLaxUNKNOWN
_sp_su.bbc.com365.0FalseTrueNoneESSENTIAL
_pcid.bbc.com395.0FalseTrueLaxUNKNOWN
consentUUIDwww.bbc.com365.0FalseTrueNoneESSENTIAL
usnatUUID.bbc.com365.0FalseTrueNoneUNKNOWN
_pctx.bbc.com395.0FalseTrueLaxUNKNOWN
_pprv.bbc.com395.0FalseTrueLaxUNKNOWN
__tbc.bbc.com400.0FalseFalseLaxUNKNOWN
xbc.bbc.com400.0FalseFalseLaxUNKNOWN
_pcus.bbc.com395.0FalseTrueLaxUNKNOWN
cX_P.bbc.com395.0FalseTrueLaxUNKNOWN
permutive-id.bbc.com183.0FalseTrueNoneUNKNOWN
cX_G.bbc.com395.0FalseTrueLaxUNKNOWN
__gads.bbc.com390.0FalseTrueNoneAD
__gpi.bbc.com390.0FalseTrueNoneAD
__eoi.bbc.com180.0FalseTrueNoneAD
ckns_eds.www.bbc.com400.0FalseFalseLaxUNKNOWN
ecos.dt.www.bbc.comsessionFalseFalseLaxUNKNOWN
G.2 MEDIUM All observed cookies declared in cookie policy
✗ FAIL

33 cookie(s) observed but not found in cookie policy at https://www.bbc.co.uk/cookies.

▶ Show all 30 rows
cookie_namestatus
__tbcobserved but not in cookie policy
__gpiobserved but not in cookie policy
_pctxobserved but not in cookie policy
_cb_svrefobserved but not in cookie policy
ckns_policy_expobserved but not in cookie policy
https://www.bbc.com_oeu1775086170103r0.7661490551611259$$27302320011$$session_stateobserved but not in cookie policy
ckns_policyobserved but not in cookie policy
XIDobserved but not in cookie policy
ckns_explicitobserved but not in cookie policy
cX_Gobserved but not in cookie policy
__gadsobserved but not in cookie policy
ecos.dtobserved but not in cookie policy
ckns_mvtobserved but not in cookie policy
ckns_privacyobserved but not in cookie policy
usnatUUIDobserved but not in cookie policy
_pcusobserved but not in cookie policy
ckns_edsobserved but not in cookie policy
_cbobserved but not in cookie policy
IDEobserved but not in cookie policy
https://www.bbc.com_oeu1775086177131r0.5938044045327691$$27302320011$$session_stateobserved but not in cookie policy
datadomeobserved but not in cookie policy
UIDobserved but not in cookie policy
optimizelySessionobserved but not in cookie policy
_chartbeat2observed but not in cookie policy
__eoiobserved but not in cookie policy
xbcobserved but not in cookie policy
permutive-idobserved but not in cookie policy
optimizelyEndUserIdobserved but not in cookie policy
_pprvobserved but not in cookie policy
cX_Pobserved but not in cookie policy
Regulatory basis: GDPR Art. 5(1)(a) · GDPR Art. 12 · GDPR Art. 13
Precedent: GDPR transparency requirements mandate clear information about all processing activities, with ICO enforcement actions targeting incomplete cookie policies.
Recommendation: Update cookie policy to provide transparent information about all cookies in use, including purpose, duration, and legal basis for each cookie type.
G.3 Strictly necessary two-part test (AI-assisted)
✓ PASS

AI analysis: 0 cookie(s) fail the strictly-necessary test and should be absent after reject-all. Summary:

G.4 Server-side analytics/ad cookies identified in Set-Cookie headers
✓ PASS

No advertising cookies observed in Set-Cookie response headers.

G.5 No CNAME cloaking detected (first-party subdomains resolving to tracker infrastructure)
✓ PASS

No CNAME cloaking detected across 9 subdomain(s).

▶ Show all 9 rows
subdomaincname_targetis_trackervendorerror
mybbc-analytics.files.bbci.co.uk(no CNAME / A record only)FalseNoneNone
idcta.api.bbc.co.uk(no CNAME / A record only)FalseNoneNone
static.files.bbci.co.uk(no CNAME / A record only)FalseNoneNone
emp.bbci.co.uk(no CNAME / A record only)FalseNoneNone
static.bbci.co.uk(no CNAME / A record only)FalseNoneNone
bbc.co.uk(no CNAME / A record only)FalseNoneNone
a1.api.bbc.co.uk(no CNAME / A record only)FalseNoneNone
nav.files.bbci.co.uk(no CNAME / A record only)FalseNoneNone
ichef.bbci.co.uk(no CNAME / A record only)FalseNoneNone
G.6 HIGH Non-essential first-party cookies absent after reject-all
✗ FAIL

1 advertising/analytics cookie(s) present in both baseline and post-reject storage.

cookie_name
optimizelyEndUserId
Regulatory basis: GDPR Art. 7(3) · ePrivacy Directive Art. 5(3)
Precedent: EDPB Guidelines 05/2020 require technical implementation of consent withdrawal, including active cookie removal.
Recommendation: Configure consent management system to actively delete advertising cookies from browser storage upon consent rejection.
G.7 HIGH No non-essential Set-Cookie headers after reject-all
✗ FAIL

13 Set-Cookie header(s) for non-essential cookies observed post-reject.

▶ Show all 13 rows
cookie_namedomainheaderclassificationtimestamp
gckpp1cluster.cxense.comgckp=2s3oaip9dhsdzntxliuv8d00e;Path=/;Domain=cxense.com;Expires=Thu, 1 Apr 2027 23:29:54 GMT;Max-Age=31536000;HttpOnly;Secure;Version=1;SameSite=NoneUNKNOWN2026-04-01T23:29:54
gckpcomcluster.cxense.comgckp=cx:1z6xit8ew47vq3vxrjzqbxotxg:ip6oka985kk8;Path=/;Domain=cxense.com;Expires=Thu, 1 Apr 2027 23:29:55 GMT;Max-Age=31536000;HttpOnly;Secure;VersionUNKNOWN2026-04-01T23:29:54
gckpid.cxense.comgckp=cx:1z6xit8ew47vq3vxrjzqbxotxg:ip6oka985kk8;Path=/;Domain=cxense.com;Expires=Thu, 1 Apr 2027 23:29:55 GMT;Max-Age=31536000;HttpOnly;Secure;VersionUNKNOWN2026-04-01T23:29:55
datadometrc.taboola.comdatadome=dK3hpFPgQkWxyoGF~G9EtefTBWGtWg0_xoiY5SqEg6lzhZQdKZ4~CaRhM8lyShemwCa8QLacc2oNYnDShwh0bPBndXxBtcN8W1l2cOJ4uIjPRWo4zz3PEGZHK2kNGPXZ; Path=/; DomUNKNOWN2026-04-01T23:29:55
api_uidwww.temu.comapi_uid=CnAQJ2nNqnPDT1XA4DftAg==; Secure; Path=/; Domain=temu.com; Expires=Thu, 01 Apr 2027 23:29:55 GMTUNKNOWN2026-04-01T23:29:55
DotMetrics.DeviceKeyuk-script.dotmetrics.netDotMetrics.DeviceKey=DeviceID=; expires=Thu, 01 Apr 2027 23:29:56 GMT; domain=.dotmetrics.net; path=/; SameSite=None; secureUNKNOWN2026-04-01T23:29:56
DotMetrics.UniqueUserIdentityCookieuk-script.dotmetrics.netDotMetrics.UniqueUserIdentityCookie=UserID=63545c67-ebd1-48ea-9918-37fe862a96c0&Created=04/01/2026 23:29:56&UserMode=0&guid=c5df64a2-7164-45d9-b650-aeUNKNOWN2026-04-01T23:29:56
DotMetrics.DeviceKeyuk-script.dotmetrics.netDotMetrics.DeviceKey=DeviceID=; expires=Thu, 01 Apr 2027 23:29:56 GMT; domain=.dotmetrics.net; path=/; SameSite=None; secureUNKNOWN2026-04-01T23:29:56
DotMetrics.UniqueUserIdentityCookieuk-script.dotmetrics.netDotMetrics.UniqueUserIdentityCookie=UserID=63545c67-ebd1-48ea-9918-37fe862a96c0&Created=04/01/2026 23:29:56&UserMode=0&guid=c5df64a2-7164-45d9-b650-aeUNKNOWN2026-04-01T23:29:56
DotMetrics.DeviceKeyuk-script.dotmetrics.netDotMetrics.DeviceKey=DeviceID=; expires=Thu, 01 Apr 2027 23:29:58 GMT; domain=.dotmetrics.net; path=/; SameSite=None; secureUNKNOWN2026-04-01T23:29:58
DotMetrics.UniqueUserIdentityCookieuk-script.dotmetrics.netDotMetrics.UniqueUserIdentityCookie=UserID=63545c67-ebd1-48ea-9918-37fe862a96c0&Created=04/01/2026 23:29:56&UserMode=0&guid=c5df64a2-7164-45d9-b650-aeUNKNOWN2026-04-01T23:29:58
DotMetrics.DeviceKeyuk-script.dotmetrics.netDotMetrics.DeviceKey=DeviceID=; expires=Thu, 01 Apr 2027 23:29:58 GMT; domain=.dotmetrics.net; path=/; SameSite=None; secureUNKNOWN2026-04-01T23:29:58
DotMetrics.UniqueUserIdentityCookieuk-script.dotmetrics.netDotMetrics.UniqueUserIdentityCookie=UserID=63545c67-ebd1-48ea-9918-37fe862a96c0&Created=04/01/2026 23:29:56&UserMode=0&guid=c5df64a2-7164-45d9-b650-aeUNKNOWN2026-04-01T23:29:58
Regulatory basis: GDPR Art. 7(3) · ePrivacy Directive Art. 5(3)
Precedent: ePrivacy Directive Article 5(3) prohibits any storage/access operations on user devices without prior consent.
Recommendation: Block server-side cookie setting for all non-essential cookies when users have rejected consent, preventing Set-Cookie header transmission.
G.8 Cookie lifetime analysis (ITP bypass detection)
✓ PASS

No obvious ITP bypass patterns in Set-Cookie headers.

G.9 No tracking keys in first-party localStorage/sessionStorage post-reject
✓ PASS

No tracking identifiers found in first-party web storage post-reject.

H. JS Global Object Verification 1 FAIL   1 PASS   0 MANUAL
H.1 MEDIUM Tracker JS globals (ga, gtag, fbq, hj, etc.) return undefined post-reject
✗ FAIL

Tracker globals still defined after reject-all: ['analytics']

globaltype
analytics__defined_object__
Regulatory basis: GDPR Art. 7(3) · ePrivacy Directive Art. 5(3)
Precedent: EDPB Guidelines require complete cessation of processing activities upon consent withdrawal, including disabling tracking functionality.
Recommendation: Undefine or disable all tracking globals when consent is rejected to prevent analytics functionality from operating post-rejection.
H.2 Tracker globals not merely defined without values
ℹ INFO

See H.1 — same evidence applies.

globalpresent
analyticsTrue
H.3 window.dataLayer absent or contains no tracking events post-reject
✓ PASS

dataLayer not present post-reject.

I. DOM / Source Inspection 3 FAIL   0 PASS   0 MANUAL
I.1 HIGH Tracker script tags have type=text/plain (CMP-blocked) in DOM post-reject
✗ FAIL

4 tracker script(s) in DOM without CMP type-blocking post-reject. 0 script(s) correctly blocked.

srctype_attrvendor
https://securepubads.g.doubleclick.net/tag/js/gpt.jstext/javascriptGoogle Publisher Ads
https://securepubads.g.doubleclick.net/pagead/managed/js/gpt/m202603240101/pubads_impl.js?cb=3109743Google Publisher Ads
https://pub.doubleverify.com/dvtag/29028254/DV1298722/pub.jstext/javascriptDoubleVerify (brand safety)
https://sb.scorecardresearch.com/internal-cs/default/beacon.jstext/javascriptComscore
Regulatory basis: GDPR Art. 7(3) · GDPR Art. 25
Precedent: Data protection by design principles require technical implementation of user choices, with active script blocking being industry standard.
Recommendation: Implement proper script blocking by setting type='text/plain' for all non-essential scripts when consent is rejected.
I.2 Non-essential scripts blocked (type=text/plain)
✗ FAIL

See I.1 — same check.

srctype_attrvendor
https://securepubads.g.doubleclick.net/tag/js/gpt.jstext/javascriptGoogle Publisher Ads
https://securepubads.g.doubleclick.net/pagead/managed/js/gpt/m202603240101/pubads_impl.js?cb=3109743Google Publisher Ads
https://pub.doubleverify.com/dvtag/29028254/DV1298722/pub.jstext/javascriptDoubleVerify (brand safety)
https://sb.scorecardresearch.com/internal-cs/default/beacon.jstext/javascriptComscore
I.3 No tracker JS files in executed sources post-reject
✗ FAIL

Based on DOM script inventory; full Sources tab verification requires Chrome DevTools protocol introspection (beyond current scope).

srctype_attrvendor
https://securepubads.g.doubleclick.net/tag/js/gpt.jstext/javascriptGoogle Publisher Ads
https://securepubads.g.doubleclick.net/pagead/managed/js/gpt/m202603240101/pubads_impl.js?cb=3109743Google Publisher Ads
https://pub.doubleverify.com/dvtag/29028254/DV1298722/pub.jstext/javascriptDoubleVerify (brand safety)
https://sb.scorecardresearch.com/internal-cs/default/beacon.jstext/javascriptComscore
J. Safari-Specific Considerations 0 FAIL   1 PASS   2 MANUAL
J.1 ITP setting
☐ MANUAL

Requires manual browser configuration check.

J.2 ITP-off re-test
☐ MANUAL

Requires manual browser configuration check.

J.3 Server-side cookie-setting identified where ITP would block client-side
✓ PASS

No obvious ITP-bypass server-side cookies detected.

K. Consent Mechanism UX Compliance 0 FAIL   4 PASS   0 MANUAL
K.1 Reject All at same prominence and level as Accept All
✓ PASS

Reject All available at first screen at same level as Accept All.

accept_visible_at_first_screenreject_visible_at_first_screenreject_requires_extra_layeraccept_button_textreject_button_text
TrueTrueFalseI agreeI do not agree
K.2 👁 AI Non-essential categories default to OFF
UNCLEAR

Cannot assess default toggle states for non-essential categories as the manage options interface is not visible in the provided screenshots

ai_evidence
No clear privacy manager/preferences panel screenshot is available showing toggle states
K.3 👁 AI No dark patterns in consent banner (colour, visual hierarchy)
✓ PASS

No apparent dark patterns detected - buttons are equivalently prominent and the interface allows single-click rejection

ai_evidence
Both buttons use similar styling, no color tricks (both appear dark), comparable sizing, and clear labeling
K.5 Persistent consent withdrawal mechanism accessible after interaction
✓ PASS

Persistent consent widget found: '(consent widget)'

foundtextin_iframe
True(consent widget)False
K.6 Site fully accessible after declining consent (no cookie wall)
✓ PASS

Site content accessible after declining consent.

accessible
True
L. Consent State Persistence 2 FAIL   0 PASS   0 MANUAL
L.2 MEDIUM Consent choice respected on second tab (same session)
✗ FAIL

Advertising cookies found in second tab — consent state may not be persisted.

consent_cookie_foundad_cookies_foundtcf_availabletcf_display_status
TrueTrueTrueNone
Regulatory basis: GDPR Art. 7(3) · GDPR Art. 5(1)(a)
Precedent: EDPB Guidelines 05/2020 emphasize that consent decisions must be consistently applied across all user interactions.
Recommendation: Ensure consent preferences are properly synchronized across all browser tabs and windows within the same session.
L.3 HIGH Declined state maintained after closing and reopening (simulate new session)
✗ FAIL

Advertising cookies found on return — consent state not correctly maintained.

ad_cookies_on_returntotal_cookies
True25
Regulatory basis: GDPR Art. 7(3) · GDPR Art. 5(1)(a)
Precedent: GDPR requires that consent withdrawal decisions be respected until the user provides new consent, with EDPB emphasizing persistent technical implementation.
Recommendation: Configure consent management platform to persistently store and respect reject-all decisions across browser sessions until user actively changes preference.
Additional Findings 1 FAIL   3 PASS   0 MANUAL
ADD.1 Persistent identifier bridging across consent states
✓ PASS

No persistent cross-phase identifiers detected in POST bodies.

ADD.2 HIGH TCF consent string analysis (all phases)
✗ FAIL

Found 1 unique TCF strings. 1 reject-all string(s) transmitted to RTB/ad vendors — transmission itself is a processing act.

phasedomaintimestampsummaryis_reject_allis_accept_allcmptcf_policy_versionpurpose_consentsli_claimsdecode_error
post_acceptcm.g.doubleclick.net2026-04-01T23:29:33Accept-all (purposes 1–10 consented, CMP: Sourcepoint Technologies)FalseTrueSourcepoint Technologies5All 10 core purposes CONSENTED[2]None
post_rejectpagead2.googlesyndication.com2026-04-01T23:29:54Reject-all (no purpose consents)TrueFalseSourcepoint Technologies5All 24 purposes REJECTED (no consents)noneNone
Regulatory basis: GDPR Art. 6(1) · IAB TCF 2.2 Policy
Precedent: IAB TCF 2.2 Policy recognizes that initiating bid requests constitutes processing regardless of consent string content.
Recommendation: Prevent transmission of any TCF strings to advertising vendors when users reject consent, as the transmission itself constitutes processing.
ADD.3 Session ID bridging across consent and rejection phases
✓ PASS

No session ID bridging detected across consent states.

ADD.4 Persistent vendor userIds transmitted after reject-all
✓ PASS

No persistent vendor userIds detected in post-reject requests.

Test Details 0 FAIL   0 PASS   0 MANUAL
META Site URL, test date, CMP platform
ℹ INFO

CMP identified as: Sourcepoint CMP

urltest_datetest_time_utccmp_detectedtotal_requestsphases_detectedphase_strategy
Accessibility - BBC2026-04-012026-04-01T23:29:35Sourcepoint CMP369['pre_consent', 'post_reject']{'accept': 'not_detected', 'reject': 'url_pattern'}
Component 3 — AI analysis via claude-sonnet-4-20250514  ·  ← Home