Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Compliance Audit

What This Is

Before we can confirm whether your website's privacy and tracking controls are functioning as intended, and before we can responsibly recommend changes to your tag infrastructure, consent setup, or privacy disclosures, we need to understand how your site actually behaves in a visitor's browser.

The Compliance Audit evaluates your site's client-side tracking behavior against your own stated policies and against broadly accepted standards for user privacy controls. It works by analyzing network traffic recordings (HAR files) captured under three conditions: a clean page load with no consent interaction, a session in which the visitor rejected all non-essential tracking, and a session in which the visitor accepted all tracking. We also inspect your site directly to assess the consent banner, footer controls, and the accuracy of your privacy and cookie disclosures.

This audit does not assess your site against every applicable law or regulation. Privacy law varies by jurisdiction, and that analysis requires qualified legal counsel. What we assess is whether the mechanisms you have in place, your consent management platform, your tag configuration, and your privacy disclosures, are doing what they say they do.

Important Note: This audit is conducted by Agency 39A as a digital strategy and marketing operations agency. It is not legal advice and does not constitute a legal compliance determination. We assess whether your site's privacy mechanisms function as described and whether observable behaviors raise potential concerns. We do not determine whether your site meets the requirements of any specific law or regulation. For legal interpretation of your privacy obligations, we recommend engaging qualified legal counsel.

 

Why This Matters

Privacy controls only work if they actually work. A consent banner that presents a "Reject All" option but allows tracking to continue anyway creates a gap between what you tell users and what happens to their data. That gap is where risk lives, not because of any single law, but because it is a provable, demonstrable contradiction that can surface in complaints, vendor audits, regulatory inquiries, or litigation.

Common patterns we find across the sites we audit:

  • A consent management platform (CMP) is installed and the banner loads, but the tags it is supposed to control fire regardless of what the user chooses, including after a visitor explicitly rejects all non-essential tracking.
  • The cookie policy or privacy policy describes category-level consent controls that do not exist or do not function. The policy says users can manage preferences; the site does not provide a working mechanism to do so.
  • Two conflicting consent models exist simultaneously, for example, a footer notice stating that continued use constitutes consent alongside a cookie policy describing an active opt-in preference system.
  • Tags used for targeted advertising, remarketing, or cross-site identity resolution fire across all sessions with no differentiation between accepted and rejected states.
  • For patient-facing healthcare sites: marketing, analytics, and session replay tools run during appointment scheduling and other high-sensitivity patient workflows, transmitting health-intent context to third-party vendors.

Most of these issues are fixable. The audit tells you exactly what is broken, which vendors are involved, and what needs to change.

 

What We Examine

The Compliance Audit evaluates your site across four areas.

Consent Mechanism Behavior
We assess whether a consent banner is present, what type it is, opt-in, opt-out, or notice-only, and whether it actually controls tag execution. The core test is simple: do the tags you would expect to be blocked when a user clicks "Reject All" actually stop? We verify this by comparing network traffic across the three consent states captured in the HAR files.

Tag Gating and Third-Party Data Sharing
We inventory every third-party vendor observed across all three sessions and map which vendors fire in each consent state. Any non-essential vendor, analytics, advertising, session replay, call tracking, appearing in the Reject All session is a gating failure. We document exactly which vendors are affected, how many requests they generate, and what data they receive.

Privacy and Cookie Disclosures
We review your Privacy Policy and Cookie Policy against the observed tag behavior to identify contradictions. If your policy states that non-essential tracking requires consent, we verify whether the observed behavior matches that claim. We also check that the vendors named or described in your disclosures align with the vendors we observe in the network traffic.

Patient Workflows (Healthcare Sites Only)
For patient-facing healthcare properties, we evaluate whether marketing, advertising, analytics, and session replay tools are running during appointment scheduling and other patient-intent workflows. Health-seeking behavior in a browser creates a category of data sensitivity that warrants specific controls, regardless of whether a consent banner is present.

 

How This Connects to the Broader Project

A Compliance Audit is not a standalone exercise. Its findings connect directly to tag management, CMP configuration, and privacy disclosure work that often runs in parallel with a redesign or digital strategy engagement.

The audit establishes a clear, evidence-based picture of what is happening today. That picture informs decisions about which vendors to keep, which to restrict, which to configure correctly, and what the privacy policy needs to say to accurately reflect the site's behavior after remediation. It also provides a baseline — after fixes are made, the same three HAR captures can be run again to confirm that the issues are resolved.

For organizations operating sites across multiple states or under healthcare privacy standards, the audit supports a consistent, defensible approach: rather than attempting to track and satisfy the specific requirements of each jurisdiction, we assess against a high-standard baseline that reduces exposure across all of them.

 

What You Get

The Compliance Audit produces four deliverables.

  1. A key findings document presents the highest-impact issues in plain language, written as presentation-ready copy. Each finding states what was observed, why it raises concern, and what should be done. This document is designed to be used as the narrative foundation for a client presentation, findings are drafted for non-technical stakeholders who need to understand the issue and make decisions about remediation.
  2. A compliance checklist provides a structured Pass / Fail / N/A view of every check performed, organized by category, with evidence citations and detail explanations for each result. This is the working document that connects each finding to the specific HAR evidence that supports it.
  3. A tag firing inventory provides a cross-session view of every third-party vendor observed, showing exactly which vendors fire under each consent condition, clean load, reject all, and accept all. Color-coded to make gating failures immediately visible, this is the primary technical reference for the team responsible for fixing the CMP and tag configuration.
  4. An audit log provides all findings in a flat, structured format compatible with a master project audit log. Each row states the audit type, finding, and recommendation. This feeds directly into the consolidated discovery report compiled across all audit types during a project.