Polaris Audit

Case #016 · 14 May 2026 · 6 min read

How to Prove GDPR Consent Compliance to a Client

Telling a client their site is compliant is not a compliance deliverable. Here is the evidence that closes the conversation — and how to produce it.

The typical agency compliance workflow ends with a CMP installed, a cookie banner visible, and a verbal assurance to the client that “everything is set up correctly.” That assurance is worth nothing if a data protection authority asks the client to demonstrate compliance at a specific point in time. The DPA will want evidence: what was the site doing before consent, which cookies were categorised how, and what was the consent record? If the agency cannot produce that evidence, the client cannot produce it either — and the liability sits with whoever signed off on the implementation.

TL;DR

  • A compliance deliverable is a dated, signed-off document — not a verbal confirmation or a CMP dashboard screenshot.
  • The core evidence is a network trace of pre-consent behaviour: what fired, what didn't, and when.
  • The deliverable should include a cookie inventory with GDPR legal-basis classification and remediation status per tracker.
  • Monthly re-audits convert a one-time handover into an ongoing retainer and maintain a compliance record as the site changes.

Verdict

The compliance conversation ends when you hand over evidence, not when you finish configuring the CMP. A network audit report dated and signed at time of delivery is the only artefact that demonstrates what the site was actually doing — not what it was configured to do.

Why configuration screenshots are not proof

The most common compliance artefact agencies provide is a screenshot of the CMP dashboard showing tags assigned to categories. This proves configuration intent. It does not prove runtime behaviour.

GTM Consent Mode v2 race conditions can cause a correctly-configured tag to fire before consent state is evaluated. A CMP installed on one subdomain may not cover a subdomain where a key tag is loaded. A recent GTM container update may have overridden the consent gating without the CMP configuration changing. None of these failures appear in a CMP dashboard screenshot. GTM race conditions explained →

A DPA investigating a complaint will not look at the CMP dashboard. They will look at network requests made by the browser during an unconsented session. If a tracking request appears before consent, the configuration is irrelevant to the enforcement case.

What belongs in a compliance deliverable

A defensible compliance deliverable has four components:

  1. Pre-consent network request timeline. A timestamped record of every network request made from page load to consent click, in an unconsented browser session. This is the core evidence. It shows what fired and when, not what was supposed to fire.
  2. Cookie inventory with legal-basis classification. Every cookie the site sets, categorised by purpose, with the GDPR legal basis for each. "Strictly necessary" classifications must be justified. Analytics and advertising cookies must be shown as gated behind consent.
  3. Remediation status per tracker. For each tracker found in the audit: what was the finding, what was the fix, and what does the post-fix network scan show. This creates an audit trail from violation to resolution.
  4. Scan date and scope. The URL scanned, the date, the browser environment, and the consent state used for the scan. This is what makes the document legally meaningful — it records compliance at a specific point in time, not in the abstract.

Your site is leaking data before consent.

Free headless-browser scan. Catches GA4, Meta Pixel, TikTok and more firing before the click. Results in 10 seconds.

Run a free scan

The network scan as forensic evidence

A network scan intercepts every outbound request the browser makes during an unconsented session — before any consent banner interaction. It captures the exact URLs, request payloads, cookie writes, and timing. This is the same evidence a DPA would collect if they audited the site directly.

The scan must be run in a clean session: no prior cookies, no cached consent state, no browser extensions that interfere with requests. A session with existing consent cookies will not reproduce the pre-consent behaviour accurately.

Manual scans via DevTools work for a single URL and are documented in our DevTools audit guide. For a deliverable that documents multiple pages and produces a structured report, an automated headless scan is the practical path — it runs a full session, intercepts requests at the network layer, and exports the findings in a format that can be attached to a client handover.

Structuring the client handover conversation

The compliance conversation with a client has two distinct parts: the finding and the evidence. Most agencies conflate them by saying “we fixed the consent setup” without separating the before-state from the after-state.

A cleaner structure:

  • Pre-audit scan: what the site was doing before remediation. This establishes the baseline and acknowledges the violation explicitly.
  • Remediation summary: what was changed in GTM / CMP and why.
  • Post-remediation scan: the same scan run after the fix, showing zero pre-consent tracking requests. This is the proof.
  • Ongoing risk note: what could reintroduce the violation — a new GTM tag, a CMP update, a subdomain launch — and the monitoring protocol to catch it.

This structure gives the client a complete paper trail and makes clear that compliance at time of delivery does not guarantee compliance if the site changes. That framing naturally introduces the case for ongoing monitoring.

Building recurring compliance into the agency retainer

A one-time compliance audit becomes stale the first time a developer adds a new GTM tag or a CMP update changes the tag firing order. Sites with active marketing teams can invalidate a consent setup within weeks of a clean handover.

Monthly consent audits convert the compliance deliverable from a project milestone to a recurring line in the retainer. The deliverable is the same each month: a dated network scan, a cookie inventory, and a remediation log showing the delta since the previous report. The client gets an ongoing compliance record; the agency gets a recurring revenue stream that is difficult to cancel because the alternative is an undocumented compliance gap.

The practical question for agencies is how to produce these reports at scale without manual DevTools work on every client site. Automated scanning that produces a structured PDF output — with network timelines, cookie inventories, and GDPR citations built in — is the operational model that makes monthly compliance reporting commercially viable.

How to read a GTM container audit for GDPR leaks →

Your site is leaking data before consent.

Run a scan and get a dated network audit report you can hand to a client or DPA. No signup, 10 seconds.

Run a free scan

Further Reading

← All posts