gdpr-cmp-detected
Consent management platform detected
A cookie-banner platform is in place on your site. The blueredix scanner doesn't click "Accept" or "Decline" for you, so verifying it actually blocks trackers before consent is something to do yourself.
What this means in plain English
The blueredix scanner detected a cookie-banner platform on your site — Cookiebot, Usercentrics, Borlabs, Klaro, CookieYes, OneTrust, Iubenda, or Real Cookie Banner. These platforms are the recommended way to comply with GDPR and the German TDDDG when your site uses non-essential cookies or third-party scripts.
This finding is informational, not a problem in itself. The catch is what it doesn’t tell you. The scanner observes the page on its first load — before any consent has been given. We can confirm the banner platform is present, but we don’t click “Accept” or “Decline” and don’t talk to the platform’s API to ask “what would you do if I declined?”. That part is on you to verify.
Why this matters
A consent platform that lets the trackers fire anyway is worse than no platform at all — it gives a false sense of legal cover. Two failure modes are common:
-
The platform loads, but the trackers were placed outside its control. A Google Tag Manager tag, an Analytics snippet, or a Facebook Pixel embedded directly in the page template fires as soon as the browser parses the HTML — before the platform even has a chance to make a decision. The scanner’s other checks (tracker scripts, tracking cookies) catch this and flag the specific tracker.
-
The platform is configured to “inform but not block”. Some platforms ship with a default that displays the banner but doesn’t actually wrap any scripts. Borlabs and Real Cookie Banner have explicit “block scripts before consent” toggles; without them, the platform is cosmetic.
Both failure modes are common enough that the German Datenschutz- konferenz (DSK) has explicitly named them as recurring violations.
What to verify yourself
Open your homepage in a fresh incognito window with developer tools
open (Network tab) and decline cookies in the banner. Then
reload the page. With the network log filtered for fonts.googleapis.com,
google-analytics.com, googletagmanager.com, connect.facebook.net,
and doubleclick.net, you should see no requests at all to
those hosts. If any of them show up, the platform isn’t blocking
them before consent.
A second check: in the Application tab → Cookies → your domain,
the cookie list before consent should contain only the platform’s
own cookies (typically named cookieyes-consent, borlabs-cookie,
CookieConsent, etc.) plus your own session and CSRF cookies.
Tracker cookies like _ga, _gid, _fbp, or _pin_unauth must
not be there until after the visitor accepts.
What to do if the verification fails
- For sites built on WordPress with a tag manager: move every analytics or advertising tag from the page template into Google Tag Manager, then configure GTM to fire only on a custom event the platform triggers after consent.
- For Real Cookie Banner / Borlabs: in the plugin settings, switch from “ask only” to “block scripts before consent” and explicitly register every third-party script.
- For Cookiebot / Usercentrics: their auto-blocking modes scan the page and block known trackers; verify the auto-blocking script tag is present in the page header before any tracker tag.