Regulators, enterprise clients, and insurance reviews increasingly ask for proof—not promises—that marketing tags respect user choice. A structured consent audit reduces legal exposure and fixes the measurement bugs that silently inflate opt-out populations.

Use this playbook before a formal GDPR review, major CMP migration, or enterprise RFP security questionnaire.

Step 1: Map the live tag inventory

Export from GTM:

• All tags, triggers, variables, and consent settings
• Workspace vs live container diff (unpublished experiments count too)

Look outside GTM:

• Hardcoded scripts in theme, Shopify app embeds, tagless pixels
• Mobile app SDKs (Firebase, Adjust, Meta SDK)
• Server-side endpoints forwarding to ad networks

Deliverable: spreadsheet with tag name, vendor, purpose, consent category, owner, last reviewed date.

Step 2: Align policy and CMP

• Compare cookie policy vendor list to inventory—flag gaps both directions
• Verify banner languages match site locales
• Confirm privacy policy links from banner work and version dates are current
• Check CMP stores consent proof (fields, retention, export format)

Step 3: Test user journeys (every locale)

For each language/region you support:

Journey	Expected behavior
First visit, no action	No non-essential cookies; Google tags paused or denied per config
Reject all	Analytics/ads blocked; necessary cookies only
Accept all	Tags fire after update; Consent Mode granted
Analytics only	Marketing tags blocked; GA4 allowed if configured
Re-open preferences & revoke	Tags stop on update without requiring cache clear

Record screen captures, Tag Assistant exports, and HAR/network snippets (redact PII).

Step 4: Technical deep checks

• Consent race conditions — refresh 10 times quickly; tags must not leak on load
• Single Page App navigation — consent persists; tags do not double-fire
• Logged-in users — different subdomains (app vs www) share or isolate consent correctly
• Payment pages — third-party scripts (Stripe, PayPal) classified correctly
• Query params / email links — no PII leaked into analytics on landing

Step 5: Collect evidence pack

Organize for legal/DPO:

• Audit date, scope, testers, environments (prod vs staging)
• Tag inventory + remediation log
• CMP consent log samples (anonymized)
• Before/after network comparisons
• Sign-off from engineering and marketing leads

Step 6: Remediate and re-test

Prioritize by risk × exposure:

1. Ad pixels and identity tools firing without consent
2. Session replay and chat capturing form fields
3. Analytics with PII parameters
4. Missing vendors in policy (transparency risk)

Assign owners and deadlines. Re-run identical test scripts after fixes—auditors love repeatable evidence.

Ongoing cadence

• Quarterly full audit for high-traffic EU properties
• Every release that touches GTM, CMP, checkout, or login
• Immediately when legal updates policy or marketing adds a vendor

When to hire specialists

If internal teams lack GTM + CMP depth, external auditors find issues faster and leave you with test scripts you can rerun internally. One thorough audit often pays for itself in recovered ad signal and avoided fines.

A consent audit is not a one-off project—it is a recurring control, like penetration testing for your marketing stack.