GuidesScope & Limitations
Detection coverage

What CookieGap scans for.

CookieGap runs a real browser against your site and captures every cookie, tracker, and consent interaction across three phases: before consent, after rejection, and after acceptance. Below is the exact set of violations it grades — plus the narrower set of compliance questions that require human review rather than a scanner.

What CookieGap measures

Every item below is derived directly from the live scanner code, not a separate doc file — so it stays accurate as features ship.

Detection signals

  • Three-phase cookie capture
    Cookies set before consent, after accept, and after reject (with reload) — the full consent lifecycle.
  • Consent-management-platform identification
    Detects 12 CMP vendors via window globals, DOM signatures, and CDN-domain fingerprints when JS detection is suppressed.
  • Reject-button verification
    Locates the reject control via vendor JS API, DOM selector, ARIA, visible text (incl. shadow-DOM piercing), or settings-link fallback — and verifies post-action that consent state actually flipped.
  • Necessary-cookie classification
    Excludes session, CSRF, CDN/security (Cloudflare, Akamai, Imperva, DataDome), CMP consent records, and opt-out signal cookies from violation counts under every framework.
  • Third-party tracker identification
    Curated signature database matches tracker domains and assigns categories (analytics, marketing, advertising, functional, preferences).
  • IAB TCF v2 inspection
    Reads TCF consent strings; flags legitimate-interest abuse on consent-required purposes.
  • Do Not Sell or Share link detection
    CCPA/CPRA: detects presence and that the link leads to an actual mechanism.
  • Privacy-policy link detection
    Locates a discoverable privacy policy from any page surface.
  • Geo-targeted scanning
    Routes scans through residential proxies in 6 regions to test region-conditional consent behaviour.

Frameworks & deductions

Each scan is graded against the framework(s) applicable to its region. Below is every category of violation we deduct points for, by framework. Specific point values are not published.

GDPR

opt-in
  • ·No consent banner present (GDPR Art. 7 — valid consent requires an affirmative action)
  • ·No reject button (consent not freely given) (EDPB 03/2022 — reject must be as easy as accept)
  • ·Tags fired without matching consent (CMP-verified) (GDPR Art. 6 — no lawful basis for processing before consent)
  • ·Non-necessary cookies persist after reject (GDPR Art. 7(3) — consent withdrawal must be honored)
  • ·Non-necessary cookies set before consent (GDPR Art. 7 — consent required before processing)
  • ·No privacy policy found (GDPR Art. 13 — information must be provided to data subjects)
  • ·Legitimate interest claimed on consent-required TCF purposes (GDPR Art. 6(1)(f) — leg-int unavailable for advertising purposes)
  • ·Trackers declared as necessary / uncategorized (EDPB 2/2023 — consent must be specific and informed)

ePrivacy

opt-in
  • ·No consent banner present (GDPR Art. 7 — valid consent requires an affirmative action)
  • ·No reject button (consent not freely given) (EDPB 03/2022 — reject must be as easy as accept)
  • ·Tags fired without matching consent (CMP-verified) (GDPR Art. 6 — no lawful basis for processing before consent)
  • ·Non-necessary cookies persist after reject (GDPR Art. 7(3) — consent withdrawal must be honored)
  • ·No privacy policy found (GDPR Art. 13 — information must be provided to data subjects)
  • ·Legitimate interest claimed on consent-required TCF purposes (GDPR Art. 6(1)(f) — leg-int unavailable for advertising purposes)
  • ·Trackers declared as necessary / uncategorized (EDPB 2/2023 — consent must be specific and informed)
  • ·Non-necessary cookies set before consent (ePrivacy is strict) (ePrivacy Directive Art. 5(3) — prior consent for storage on terminal equipment)

CCPA

opt-out
  • ·No 'Do Not Sell or Share My Personal Information' link (CCPA §1798.135(a) — clear and conspicuous opt-out link required)
  • ·Do Not Sell link present but non-compliant (missing mechanism) (CCPA §1798.135(b) — opt-out must actually work)
  • ·Tracking cookies persist after opt-out action (CCPA §1798.120 — right to opt-out of sale)
  • ·No privacy policy found (CCPA §1798.130 — notice at collection required)

LGPD

opt-in
  • ·No consent banner present (LGPD Art. 7 — legal basis required (consent is most common))
  • ·No reject button (LGPD Art. 8 — consent must be free and informed)
  • ·Non-necessary cookies persist after reject (LGPD Art. 8(5) — consent withdrawal must be honored)
  • ·Non-necessary cookies set before consent (LGPD Art. 7 — processing requires legal basis)
  • ·No privacy policy / privacy notice (LGPD Art. 9 — data subject has right to clear information)

PIPEDA

meaningful-consent
  • ·No privacy policy (PIPEDA Principle 8 — openness about practices)
  • ·No opt-out mechanism for marketing tracking (PIPEDA Principle 3 — consent is meaningful and can be withdrawn)
  • ·Tracking cookies persist after opt-out (PIPEDA Principle 3 — withdrawal must be honored)
  • ·Non-necessary cookies set before meaningful consent (PIPEDA Principle 3 — knowledge and consent)

Supported CMPs

Detected via window globals, DOM signatures, or CDN-domain fingerprints. 8 of these are also reachable through their native programmatic reject API for reliable opt-out testing.

AxeptioCookiebotCookieYesDidomiiubendaOneTrustOsanoQuantcastSourcepointTermlyTrustArcUsercentrics

Orange = native reject API supported · Grey = identification only

Supported scan regions

  • European UnioneuGDPR + ePrivacy
  • United KingdomukUK GDPR + PECR
  • CaliforniacaliforniaCCPA / CPRA
  • United StatesusCCPA equivalent (global baseline)
  • BrazilbrazilLGPD
  • CanadacanadaPIPEDA

What CookieGap does not measure

These are the things you should pair CookieGap with — internal review, external counsel, or different tooling — to run a complete compliance program.

Documentation we can't audit

  • Data Processing Agreements with vendors
    Whether you have GDPR Art. 28 / CCPA service-provider contracts in place with every third party that touches user data.
  • Records of Processing Activities (Art. 30)
    Internal documentation of every processing purpose, recipient, retention period, and transfer mechanism.
  • Data Protection Impact Assessments
    Mandatory risk assessments for high-risk processing under GDPR Art. 35, LGPD Art. 38, and equivalents.
  • Lawful-basis appropriateness
    We detect whether consent appears to be obtained, but not whether the legal basis you have chosen for a given purpose is the correct one.

Backend behaviour we can't observe

  • Server-side data flow
    Anything that happens after data leaves the browser — server-to-server pixels, CDP joins, ad-tech bid-stream propagation, data-warehouse exports.
  • International data transfers
    Whether SCCs are signed, whether the recipient country is adequate, whether transfer impact assessments have been completed.
  • Data retention enforcement
    Whether your systems actually delete personal data after the retention period you've published.
  • Subject access request handling
    Whether your team can fulfil GDPR/CCPA access, deletion, and portability requests within the legal deadline.

Surfaces and signals we don't scan

  • Mobile apps and native SDKs
    Web-only. iOS, Android, and embedded SDKs require different tooling.
  • Authenticated user experience
    Scans run logged-out. Logged-in pages may load different cookies, e.g. preference scripts that only fire after sign-in.
  • Email marketing & CASL
    Commercial electronic message rules (Canada's Anti-Spam Legislation) apply to email channels we don't touch.
  • Global Privacy Control (GPC) signal honour
    We do not currently transmit Sec-GPC: 1 during scans nor verify that sites respond to it. Coming on the roadmap.
  • COPPA age-gating flows
    We don't simulate child-user paths or test age-verification gates. COPPA compliance for sites with children's content needs separate review.

Where our analysis is shallow

  • Privacy policy content quality
    We confirm a privacy policy exists. We do not parse it for completeness — disclosed recipients, retention periods, legal basis per purpose.
  • CMP category-to-cookie mapping correctness
    We trust the CMP's own categorisation of trackers. If the CMP wrongly labels Google Analytics as 'Necessary', we won't catch it without manual review.
  • Dark-pattern depth (beyond reject-button visibility)
    We detect missing reject buttons and pre-checked toggles. Subtler patterns — colour contrast manipulation, misleading copy, multi-step burials — need human review.
  • Per-US-state legal nuances
    We grade US scans against CCPA equivalent. Sensitive-data opt-in differences in Virginia / Colorado / Connecticut / Texas, and Quebec Law 25 specifics, are not separately scored.

This page is reviewed alongside scanner releases. Capability lists are derived from the live code; the limitations list above is maintained manually and last reviewed with each entry's date shown in the source. Last full review: 2026-04-30.