Most consent banners are decorative. They were installed, not designed: the plugin blocks the tags it knows about, everything else fires anyway, and the privacy policy describes a site that stopped existing two redesigns ago. Nobody notices until a user complains or a data protection authority writes a letter, and a letter is a genuinely bad way to find out what your tags do.
The position this hub argues
Three things, consistently:
- Compliance is a state you maintain, not a badge you are issued. Nobody honest sells "guaranteed 100% GDPR compliant." What you can have is an accurate map of your exposure and a fix list ordered by real-world risk.
- The network tab outranks the settings page. What your CMP dashboard says it blocks and what your site actually sends are two different facts. Only one of them shows up in an audit, a complaint, or a regulator's inspection.
- Every fix has a data cost, and you deserve to know it. Turning off a leaking tag loses you some measurement. Pretending there is no trade-off is its own kind of dishonesty; the job is making the trade-off informed.
One boundary, stated plainly: I map what your site technically does with data. What that means for your legal obligations is your lawyer's half of the job. The good ones are worth it, and they cannot inspect network requests any more than I can interpret case law.
Start with what your consent banner isn't blocking: it is the most common failure, and you can test it yourself in fifteen minutes. If what you find worries you, the Compliancy audit is a flat €500 and one to two days, tag by tag.