Polaris Audit

Case #005 · 22 Apr 2026 · 7 min read

The CMP Setup Checklist: 10 Things Agencies Miss

Most agency handoffs contain at least two major compliance leaks. Use this checklist to catch them before the client does.

TL;DR

  • The "Green Light" in your CMP dashboard is not proof of network-level blocking
  • Regional "Auto-Accept" settings often violate GDPR for EU visitors
  • GTM race conditions are the #1 cause of pre-consent leakage
  • A "Reject All" button must be as prominent as "Accept All" in most jurisdictions

Verdict

If your handoff process only checks "Is the banner visible?" you are missing 80% of the risk. Compliance is verified in the Network tab, not the UI.

1. The "Default Denied" State

Under GDPR, consent must be proactive. This means all non-essential trackers must be set to denied by default before any user interaction. Agencies often miss this, relying on the CMP to "auto-fix" it, which it cannot do if GTM is set to fire on All Pages.

2. The Regional Trap

Many CMPs offer "geotargeting." They show a strict banner in the EU and a "notice only" banner in the US. If your US setup fires trackers on load, ensure your geotargeting is bulletproof. If a VPN user from Germany hits your "US" configuration, you are in violation.

Your site is leaking data before consent.

Free headless-browser scan. Catches GA4, Meta Pixel, TikTok and more firing before the click. Results in 10 seconds.

Run a free scan

3. GTM Race Conditions

If your GTM container loads before the CMP script, any tag with an All Pages trigger will fire before the CMP can tell it to wait. This 200ms gap is where most pre-consent trackers hide.

The Fix: Use a custom consent_initialized event or GTM Consent Mode to hold tags until the CMP signal is received.

4. "Reject All" Parity

European regulators (CNIL, DSB, etc.) now mandate that "Rejecting" must be as easy as "Accepting." If you have a big blue "Accept All" button and a tiny "Settings" link, you are likely non-compliant.

The Final 6

  • 5. Vendor Blocking: Don't trust "Auto-blocking" features. Verify they actually stop the network request.
  • 6. Log Retention: Can you prove John Doe clicked Accept on Tuesday? Your CMP must store an immutable consent log.
  • 7. Hard Refresh Testing: Test with Disable Cache on. This is where race conditions appear.
  • 8. New Tag Audits: Marketing teams add tags weekly. Each one must be mapped to a consent category.
  • 9. Essential Overlap: Don't classify Meta Pixel as "Essential." It isn't, and DPAs will fine you for it.
  • 10. The 6-Month Audit: Sites drift. Configurations change. Audit the network trace every 6 months or after every major GTM change.

Further Reading

← All posts