Complete compliance platform
Everything your site needs.
One script tag.
ConsentPixel — Privacy · Verified covers every compliance requirement your business faces — CIPA, GDPR, CCPA, and all US state laws — with a single async pixel that loads in under 50ms.
01 — CIPA & Tracker Blocking
Trackers physically cannot fire
until the visitor consents.
Unlike basic tag managers that just "pause" scripts, ConsentPixel — Privacy · Verified intercepts at the browser level. Hotjar, FullStory, Clarity and 2,000+ other trackers are completely prevented from executing — not slowed, not flagged — prevented. This is the difference between legal exposure and legal protection.
MutationObserver intercept — rewrites
type="text/javascript" to text/plain before the browser can execute any script. Works on dynamically injected scripts too.
window.fetch + XHR monkey-patch — blocks outbound network requests to tracker domains at the API level. No request leaves the browser without consent.
GTM dataLayer intercept — injects consent state before Google Tag Manager loads. Blocked at the tag level, not just the network level.
CIPA named blocklist — Hotjar, FullStory, Clarity, Lucky Orange, Mouseflow, LogRocket, SessionCam, Inspectlet, Crazy Egg, Smartlook explicitly named and blocked. The exact tools plaintiff firms scan for.
Instant re-enable on consent — when a visitor accepts, blocked scripts are restored per category in under 50ms. No page reload needed.
CIPA §631 Protection
CIPA §638.51 Pen Register
2,000+ trackers
ConsentPixel — Tracker Shield
Live tracker status — yoursite.com
● All blocked
Hotjar
Session Recording · CIPA §631
🚫 Blocked — CIPA risk
Microsoft Clarity
Session Recording · CIPA §631
🚫 Blocked — CIPA risk
Google Analytics 4
Analytics
✓ Blocked until consent
Meta Pixel
Marketing · CIPA §638.51
✓ Blocked until consent
Intercom
Functional (always allowed)
○ Functional — exempt
🛡 0 trackers firing before consent · Kind Law scanner cannot find a violation
02 — Active Site Scanner
We scan your site the way
plaintiff firms do. Before they do.
ConsentPixel — Privacy · Verified runs a real headless Chromium browser against your site with zero cookies, zero localStorage — a perfect simulation of a first-time visitor. We capture every network request, every cookie set, every script that fires. Then we tell you exactly what's at risk before a demand letter arrives.
Playwright headless crawler — visits your homepage plus up to 3 internal pages (checkout, contact, pricing) as a fresh visitor. Records all network activity in the first 15 seconds.
Cookie deep audit — every cookie set before consent is logged with name, domain, expiry, SameSite flag, and privacy classification. First-party and third-party both.
Risk scoring A–F — clear grade based on CIPA exposure, unconsented trackers, missing banner, and cookie violations. Not a vague "medium risk" — a specific, actionable score.
Downloadable PDF report — professionally formatted compliance report with your domain, scan date, risk score, tracker inventory, remediation checklist. Growth+ plans only.
Scan history & trend — compare risk scores over time. See when a new tracker appeared and when it was fixed. Your compliance timeline at a glance.
Weekly — Starter
Daily — Growth+
On-demand — all plans
$ scan --fresh-session --depth 3 yoursite.com
→ Launching Chromium (no cookies, no storage)
→ Loading: yoursite.com
→ REQUEST [0.4s]: static.hotjar.com ⚠ CIPA
→ REQUEST [0.5s]: www.clarity.ms ⚠ CIPA
→ REQUEST [0.6s]: googletagmanager.com
→ COOKIE [0.8s]: _fbp · meta.com · 90d
→ Consent banner: NOT DETECTED
Risk Grade: F — Critical
CIPA violations: 2 · Est. exposure: $4.2M
→ Alert sent · Report generated · PDF ready
A
Clean
B
Low risk
C
Medium
D
High
F
Critical
03 — Consent Banner Builder
Banners that are legally compliant
and dark-pattern-free.
CCPA 2026 regulations (effective January 1, 2026) explicitly prohibit dark patterns in consent UI — asymmetric buttons, buried reject options, fake urgency. ConsentPixel — Privacy · Verified enforces balanced design programmatically. You cannot accidentally build a non-compliant banner.
Visual no-code builder — colour picker, text editor, logo upload, layout selector (bottom bar, centred modal, corner widget). Live preview at desktop and mobile breakpoints.
Regulation-aware auto-mode — serves GDPR opt-in for EU/UK visitors, CCPA opt-out for California, state-specific banners for VA/CO/TX/FL/CT. All from one configuration.
GPC signal support — reads
navigator.globalPrivacyControl and the Sec-GPC header. California visitors with GPC enabled automatically receive opt-out treatment. CCPA 2026 compliant.
Shadow DOM isolation — the banner cannot be broken by your site's CSS. Renders identically on every platform. No z-index wars, no style conflicts.
12 languages at launch — auto-detects visitor language from browser headers. Separate text fields per language, not machine-translated filler.
Versioned publishing — every banner publish creates a permanent version. Consent logs reference the exact banner version shown. Your legal audit trail is unbreakable.
CCPA 2026 dark pattern rules
GPC signal compliant
12 languages
✅
Balanced button design enforced. Reject and Accept options are equal prominence — CCPA 2026 symmetry rules met.
🚫
Dark pattern blocked: Cannot set Accept button 3× larger than Reject. Dark patterns are rejected before publishing.
04 — Legal Document Generator
Privacy docs written from your
actual site — not a generic template.
Most privacy policy generators ask you a few questions and produce boilerplate. Ours reads the output of your site scan. Every tracker your site actually runs is listed by name, with its purpose, data sharing, and retention period — because those are the specifics that matter to regulators and plaintiffs.
Privacy policy — populated from your scan results. Lists actual trackers found. Includes GDPR rights section for EU visitors, CCPA rights for California visitors, auto-detected by visitor geography.
Cookie policy — every cookie your scanner found, categorised per IAB standard (strictly necessary, functional, analytics, marketing). Hosted at a permanent URL, auto-updates when new cookies are detected.
Terms & conditions — jurisdiction-aware governing law auto-set by your business country. US and EU variants with the appropriate clauses.
GDPR opt-in forms — embeddable HTML form snippets for email marketing, lead capture, and newsletter consent. Double opt-in flow included with hosted confirmation page.
Permanent hosted URLs — every document hosted at consent.consentpixel.com/policy/{slug}. Never changes URL. Update your content, the URL stays the same.
Scan-driven content
Auto-updates
DSAR management
consent.consentpixel.com/policy/a7f2b9
Privacy Policy
yoursite.com
Generated from scan · Last updated: May 14, 2026
This policy describes how yoursite.com collects, uses, and shares personal data. The following third-party tools were detected on this site during our privacy scan:
Google Analytics 4
Analytics · 14 months
Meta Pixel
Marketing · 90 days
Hotjar ⚠
Blocked — CIPA risk
05 — Trust Badge & Certificates
A badge that proves compliance.
Not just claims it.
Any site can copy a badge image. The ConsentPixel — Privacy · Verified badge is cryptographically verified — served dynamically from our CDN, checking real-time compliance status on every serve. Green means clean. Amber means action needed. If someone fakes the badge, it turns red automatically.
HMAC anti-fakery — badge token is
HMAC-SHA256(site_id + domain + secret). Served from badge.consentpixel.com. Mismatched domain = instant fraud badge.
Real-time status — badge colour reflects your last scan result. Scanner finds a CIPA risk → badge turns amber → you're alerted → you fix it → badge returns green automatically.
Compliance certificate PDF — downloadable PDF with certificate number, issued date, regulations covered, scan methodology, and cryptographic signature hash. For RFPs, vendor questionnaires, and legal defence.
Public verification page — verify.consentpixel.com/{site-id} shows your compliance status publicly. Useful for enterprise prospects conducting vendor due diligence.
White-label badge — Agency plans serve the badge under your agency brand. "Compliance Verified by [Your Agency Name]" — not ConsentPixel.
HMAC cryptographic verification
PDF certificate
White-label ready
Badge States
consentpixel
Privacy Verified
● Clean
consentpixel
Action Required
⚠ Warning
Domain mismatch
Badge fraud detected
✗ Invalid
06 — Real-Time Alert Engine
Know before Kind Law does.
Every time.
Plaintiff firms scan continuously. ConsentPixel — Privacy · Verified monitors continuously. New CIPA-risk tracker detected at 2am on a Sunday? You're texted within minutes — before the demand letter is drafted. Every alert is verified by a Playwright scan before it fires. No false positives.
Verified before firing — passive pixel detects an anomaly → triggers a Playwright verification scan → alert only fires if confirmed. Industry-leading accuracy, zero false alarm fatigue.
11 alert types — CIPA detected, consent bypassed, banner not loading, new tracker detected, consent rate drop, badge domain mismatch, consent mode broken, certificate expiring, and more.
Multi-channel delivery — email (all plans), SMS for CIPA-critical alerts (Growth+), real-time portal notification centre, webhook delivery (Agency Pro).
One-click actions — every alert has inline actions: Approve Tracker, Block Tracker, Trigger Scan, Mark Reviewed. No navigating to find where to fix it.
Configurable per alert type — choose which alerts fire, which channels they go to, and who receives them. Per-site, per-user configuration.
Playwright verified
SMS for critical
Zero false positives
Notification Centre — Live
🚨 CIPA risk detected — FullStory
FullStory firing before consent on /checkout — verified by Playwright scan. Estimated CA exposure: $2.1M
⚠ New tracker detected — LinkedIn Insight
linkedin.com/px first seen on /about page. Not in current banner configuration.
✓ Scan complete — no issues found
Weekly scan passed. Risk grade: A. All 14 trackers blocked correctly. Badge status: Clean.
📱
SMS Alert Sent
ConsentPixel: CIPA risk on yoursite.com/checkout — FullStory firing pre-consent. Login to fix: consentpixel.com/portal
07 — Regulation Coverage
Every regulation your visitors
are covered by. Automatically.
ConsentPixel — Privacy · Verified detects each visitor's location from Cloudflare request headers and serves the correct consent banner for their jurisdiction — no manual setup required.
🇪🇺
GDPR
Opt-in consent required. Granular categories. Right to withdraw. Full EU/EEA + UK coverage.
✓ Covered — Phase 1
🇺🇸
CCPA / CPRA 2026
Opt-out model. Do Not Sell. GPC signal required. Dark patterns explicitly prohibited since Jan 2026. Symmetrical choices enforced.
✓ Covered — Phase 1
⚖️
CIPA §631 & §638.51
Session replay and pen register blocking. $5,000 statutory damages. Named blocklist for Hotjar, FullStory, Clarity. 1,641+ active lawsuits.
🚨 Primary differentiator
🇺🇸
VCDPA (Virginia)
Opt-out, sensitive data opt-in, data processing opt-out rights. Auto-served to Virginia IP visitors.
✓ Covered — Phase 3
🇺🇸
CPA (Colorado)
Opt-out, GPC signal mandatory, universal opt-out mechanism required.
✓ Covered — Phase 3
🇺🇸
TDPSA (Texas)
Opt-out of sale, targeted advertising, and profiling rights. Enforcement began July 2024.
✓ Covered — Phase 3
🇺🇸
FDBR (Florida)
Consent for data collection, right to access and delete personal data.
✓ Covered — Phase 3
🇨🇦
PIPEDA (Canada)
Meaningful consent requirement, privacy policy disclosure, purpose limitation for Canadian visitors.
✓ Covered — Phase 3
📡
IAB TCF 2.2 — Official CMP Registration
ConsentPixel — Privacy · Verified applies for IAB Europe CMP registration in Phase 3. The __tcfapi() stub, Global Vendor List integration, and TC String generation are built from the ground up to spec — not bolted on.
Phase 3 — Weeks 13–18
Works on every platform
One script tag.
Every platform. Forever.
No plugins. No app store approvals. No developer required. Paste once in your theme's <head> and you're done. Updates deploy from our CDN — your site code never changes again.
WordPress
Shopify
WooCommerce
Wix
Squarespace
Webflow
BigCommerce
Magento
Kajabi
Framer
Ghost
Drupal
Joomla
Any HTML site
Zero plugins. Zero approvals.
No WordPress plugin to maintain through every core update. No Shopify app to pay for separately. One line of HTML, one time, done.
Under 8kb — Core Web Vitals safe
Loads async from Cloudflare's global edge network in under 50ms. Google's PageSpeed Insights will not flag it. Your LCP score is safe.
Auto-updates without touching code
New law passes. New tracker identified. New lawsuit pattern. We update from the CDN. Your site is protected before you've heard the news.
08 — Agency Features
Everything you need to offer
compliance as a service.
ConsentPixel — Privacy · Verified's Agency plans are built for digital agencies, WordPress consultants, and web studios who want to add a recurring compliance revenue stream to their client offering.
White-label portal
Full portal at compliance.youragency.com. Your logo, your colours, your brand. Clients never see the ConsentPixel — Privacy · Verified name.
Portfolio dashboard
All client sites in one view. Risk scores, badge status, unacknowledged alerts, last scan time. Bulk trigger scans. Bulk push banner updates.
Branded PDF reports
Monthly compliance reports with your agency logo and colours. Send as a polished deliverable. Clients think it's your own product.
Client read-only access
Share a login with each client so they can see their site's compliance status. They can't change settings — just view and download reports.
Webhook alert delivery
Send alerts to your own systems — Slack, PagerDuty, your helpdesk. HMAC-signed payload. Retry on failure. Agency Pro plan.
30% referral commission
Refer other agencies and earn 30% of everything they pay — forever, for the life of their subscription. Tracked and paid monthly via Stripe.
Agency Lite — 25 sites example
$1,696 / month net revenue
25 clients × $75 = $1,875 − $179 ConsentPixel cost = $1,696 margin
See agency pricing →
09 — Google Consent Mode v2 & Analytics
Your ad data doesn't have to suffer
because you're compliant.
Properly implemented Google Consent Mode v2 lets Google model the data it can't directly observe — preserving up to 65% of the ad conversion intelligence that a badly configured CMP throws away.
v2
GCM v2 compliant
ad_storage, analytics_storage, ad_user_data, ad_personalization — all four signals handled
GA4
GA4 ready
Works with GA4 directly and through Google Tag Manager. No configuration needed.
GTM
GTM integration
Injects consent state into dataLayer before GTM loads. Blocks tags at the source level.
✓
Google CMP Partner
Certified by Google for Consent Mode implementation. Required for accurate GA4 modelling.
Complete feature matrix
Everything in one view.
| Feature | Starter | Agency Lite | Agency Pro |
|---|---|---|---|
| Core Compliance | |||
| Script auto-blocking (2,000+ trackers) | ✓ | ✓ | ✓ |
| CIPA named blocklist (Hotjar, FullStory, Clarity...) | ✓ | ✓ | ✓ |
| GTM dataLayer intercept | ✓ | ✓ | ✓ |
| Google Consent Mode v2 | ✓ | ✓ | ✓ |
| GDPR + CCPA + CIPA banners | ✓ | ✓ | ✓ |
| All US state laws (VA/CO/TX/FL/CT) | ✓ | ✓ | ✓ |
| GPC signal support | ✓ | ✓ | ✓ |
| Consent audit logs (3 years) | ✓ | ✓ | ✓ |
| IAB TCF 2.2 | ✓ | ✓ | ✓ |
| Scanner & Monitoring | |||
| Passive site scanner | Weekly | Daily | Daily |
| Active Playwright crawler | ✗ | ✓ Daily | ✓ Daily + on-demand |
| Risk score A–F grading | ✓ | ✓ | ✓ |
| Cookie deep audit | ✓ | ✓ | ✓ |
| PDF compliance report download | ✗ | ✓ | ✓ |
| Legal Documents | |||
| Privacy policy generator | ✓ | ✓ | ✓ |
| Cookie policy generator | ✗ | ✓ | ✓ |
| Terms & conditions generator | ✗ | ✓ | ✓ |
| DSAR management | ✗ | ✓ | ✓ |
| Trust Badge & Alerts | |||
| Privacy Verified trust badge | ✓ | ✓ | ✓ |
| CIPA Compliant badge | ✗ | ✓ | ✓ |
| Compliance certificate PDF | ✗ | ✓ | ✓ |
| Email alerts | ✓ | ✓ | ✓ |
| SMS alerts (CIPA critical) | ✗ | ✓ | ✓ |
| Webhook delivery | ✗ | ✗ | ✓ |
| Agency & Team | |||
| White-label portal + badge | ✗ | ✓ | ✓ |
| Portfolio dashboard | ✗ | ✓ | ✓ |
| Branded PDF reports | ✗ | ✓ | ✓ |
| Team roles & permissions | ✗ | ✗ | ✓ |
| Client read-only access | ✗ | ✗ | ✓ |
| 30% referral commission | ✗ | ✓ | ✓ |
| Max domains | Unlimited (pay per domain) | 50 | 250 |
Frequently asked questions
Common questions answered
Everything you need to know. Can't find what you're looking for? Contact us →
How does the script blocking actually work?
ConsentPixel — Privacy · Verified uses a MutationObserver intercept to rewrite any non-essential script's type attribute from text/javascript to text/plain before the browser can execute it. It also monkey-patches window.fetch and XMLHttpRequest to block outbound network requests to tracker domains at the API level. Scripts cannot fire — not deferred, not slowed — completely prevented. When a visitor consents, blocked scripts are restored per category in under 50ms with no page reload.
What trackers does the CIPA blocklist cover?
The named CIPA blocklist covers Hotjar, FullStory, Microsoft Clarity, Lucky Orange, Inspectlet, LogRocket, Mouseflow, Smartlook, SessionCam, and Crazy Egg — the exact tools that plaintiff firms Kind Law and Swigart Law Group scan for using BuiltWith data. The blocklist also covers Meta Pixel, TikTok Pixel, and LinkedIn Insight Tag under the §638.51 pen register provisions. Over 2,000 trackers total across all categories.
How often does the scanner run and what does it check?
Starter plan: weekly automated Playwright scan. Agency Lite and Pro: daily automated scan plus unlimited on-demand scans. Each scan visits your homepage plus up to 3 internal pages (checkout, contact, landing pages) as a fresh visitor with zero cookies and zero localStorage — exactly how plaintiff firms scan. It records every network request, every cookie set, every script that fires, and produces a risk grade from A (clean) to F (critical CIPA risk).
Does ConsentPixel work with Google Consent Mode v2?
Yes — ConsentPixel — Privacy · Verified is a Google CMP Partner certified for Consent Mode v2. It automatically injects all four v2 signals (ad_storage, analytics_storage, ad_user_data, ad_personalization) into the dataLayer as denied before GTM or GA4 loads, then fires the update signal when the visitor consents. No additional configuration required. Properly implemented Consent Mode v2 preserves up to 65% of ad conversion intelligence that a poorly configured CMP throws away.
Can I generate a privacy policy automatically?
Yes — the privacy policy generator reads your actual scan results and lists every tracker found by name, with its category, data sharing details, and retention period. This is far more defensible than a generic template because it reflects what your site actually does. The generated policy is hosted at a permanent URL that never changes, auto-updates when new trackers are detected, and includes GDPR rights language for EU visitors and CCPA rights for California visitors auto-served by geography.
What does the trust badge look like and can it be faked?
The badge is served dynamically from badge.consentpixel.com and validated against your domain on every request using HMAC-SHA256. It cannot be faked — if someone copies the badge image URL onto a different domain, the badge automatically renders as a red fraud indicator. The badge colour reflects your most recent scan result in real time: green when clean, amber when action is needed, red on domain mismatch.
What agency features are included?
Agency Lite and Pro plans include a white-label portal at your own subdomain (compliance.youragency.com), portfolio dashboard for all client sites, branded PDF compliance reports with your logo, client read-only access (Agency Pro), webhook alert delivery to Slack or PagerDuty (Agency Pro), team roles and permissions (Agency Pro), and a 30% recurring referral commission for agencies you refer. The white-label badge can also show your agency name instead of ConsentPixel.
Is there an IAB TCF 2.2 certified mode?
Yes — ConsentPixel — Privacy · Verified implements the full IAB TCF 2.2 specification including the __tcfapi() stub, Global Vendor List integration, TC String generation, and Purpose consent handling. This is required for publishers running Google AdSense, Google Ad Manager, or any IAB-compliant advertising stack in the EU. TCF 2.2 mode is available on all plans.
Start free — 14 days
All these features.
One script tag.
10 minutes to set up.
Join 500+ websites protected by ConsentPixel — Privacy · Verified. CIPA, GDPR, CCPA covered from minute one.
No credit card · Cancel any time · Works on WordPress, Shopify, Webflow, or any HTML site