Privacy & GDPR
CMP consent checks, cookie inventory, and policy links with VisualQ's Privacy pillar.
Privacy is VisualQ's eighth quality pillar. It measures consent-before-tracking behavior — not tag variable quality (see Tracking) or cookie security flags (see Security scans).
Each audited page runs a triple-run protocol:
- Initial — no CMP interaction; capture cookies, network, storage, banner, policy link.
- Reject all — assert no analytics/marketing cookies or tracker hits.
- Accept all — assert expected trackers can fire when consent is granted.
What it checks
| Check | Weight | Pass criteria |
|---|---|---|
| CMP banner present | 15% | Overlay or __tcfapi detected |
| Reject as easy as accept | 10% | Reject-all control found |
| No non-essential cookies before action | 20% | No _ga, _fbp, etc. on first load |
| Zero trackers after reject | 25% | No analytics/ad network hits post-reject |
| Trackers after accept | 10% | Known trackers fire when site uses them |
| Cookie inventory classified | 10% | ≥80% cookies matched in Open Cookie Database |
| Privacy policy link | 10% | Visible link in footer or banner |
Optional signals (bonus, not penalized if absent): TCF 2.2 TC string, Google Consent Mode v2 defaults.
Legal disclaimer
Automated privacy audits assist compliance reviews — they are not legal advice, certification, or a substitute for DPO review. Policy text adequacy and cross-device consent sync are outside automated scope.
Where to work
| Surface | Path |
|---|---|
| Privacy dashboard | Project → Privacy tab |
| Run detail viewer | Privacy → latest run, or /privacy-viewer?runId= |
| Run programmatically | POST /api/tests/privacy or CI type: privacy |
| MCP | run_full_audit with pillars: ['privacy'] → get_pillar_report pillar privacy |
Rolling health
Site KPIs use the rolling health model: mean of per-page privacy scores audited in the last 30 days, with coverage shown (e.g. 67% coverage · 8/12 pages). The latest run alone is never the project score.