Why Your CMP Banner Doesn't Guarantee Compliance

Your consent management platform (CMP) is not a compliance guarantee. It’s a tool — and like any tool, it can be misconfigured, bypassed, or simply not doing what you think it’s doing.

Here are the most common gaps we find when we audit sites that already have a CMP installed.

Trackers Firing Before Consent

The most common issue we see: analytics pixels, advertising trackers, and social media widgets activating on page load — before your CMP banner has even rendered.

This happens because:

• Script loading order — Third-party scripts load before the CMP has time to evaluate consent
• Hardcoded tags — Marketing teams add tracking tags directly to the page template, bypassing CMP controls
• Server-side tagging — Google Tag Manager’s server-side container can fire tags that your client-side CMP can’t control

We detect this by testing every page in a pre-consent state and comparing observed network requests against what your CMP claims to block.

Consent Leakage

Even with a properly configured CMP, data can leak during the brief window between page load and CMP initialization.

This “leakage window” typically lasts 100-500 milliseconds — enough time for:

• Analytics scripts to capture a pageview
• Advertising pixels to log an impression
• Fingerprinting scripts to probe browser APIs

Most automated scanners test only one consent state. FarPoint tests three: pre-consent, post-consent, and opt-out.

Fingerprinting Scripts That Bypass Cookie Detection

Many CMPs focus on cookie consent but miss browser fingerprinting entirely. Fingerprinting scripts collect information about the user’s device — screen resolution, installed fonts, GPU model, audio stack — without setting a single cookie.

These scripts are particularly dangerous because:

• They’re invisible to cookie-based detection tools
• They can’t be blocked by traditional CMP cookie controls
• Regulators increasingly view fingerprinting as requiring consent under GDPR Article 4(11)

We detect fingerprinting by monitoring for Canvas API calls, WebGL probes, AudioContext fingerprinting, and font enumeration — even when obfuscated.

Policy Misalignment

Your privacy policy describes one set of practices. Your site executes another. This is one of the most common — and most actionable — findings in our audits.

Typical misalignments include:

• The policy says “we use cookies for analytics only” but advertising pixels are firing
• The policy says “you can opt out at any time” but the opt-out mechanism doesn’t actually stop tracking
• The policy lists 10 data processors but the site loads scripts from 25+ third-party domains

State Law Blind Spots

If your compliance program was built around GDPR, you may be compliant in Europe but exposed in the United States.

Emerging US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA) have different requirements:

• Opt-out is the default — Unlike GDPR’s opt-in model, US state laws generally require opt-out mechanisms
• Data sale definitions vary — What constitutes a “sale” differs significantly between California and Virginia
• Enforcement is accelerating — State attorneys general are actively enforcing, and the private right of action in some states adds additional risk

The FarPoint Difference

FarPoint pairs consent-aware scanning technology with analyst expertise. Every deliverable includes:

• Three-state consent testing on every scanned page
• Classification of trackers across 6 categories
• Findings mapped to specific regulatory requirements (GDPR, ePrivacy, CCPA/CPRA, US state laws)
• A prioritized remediation roadmap with implementation guidance

Your CMP banner doesn’t guarantee compliance. The only way to know is to test what actually fires.

[Schedule a consultation](${new URL(‘/contact’, ‘https://farpointconsulting.com’)}) to learn more about our audit process.