marketing-consent-data-collection-review

Marketing Consent and Data-Collection Review

Purpose

This skill reviews the consent and data-collection layer of a marketing site for regulatory correctness, coverage gaps, and dark-pattern risk. Marketing analytics and advertising tags are a primary enforcement target under GDPR, the ePrivacy Directive, and US state privacy laws (CCPA/CPRA and successors). A tag that fires before a consent signal, a banner with no symmetric reject control, or a missing "Do Not Sell or Share" path converts routine marketing instrumentation into a regulatory liability and a class-action surface. The review catches consent-gating failures, banner dark patterns, Consent Mode misconfiguration, undeclared trackers, and cross-border transfer gaps before they reach production.

Lean operating rules

• Treat any analytics or advertising tag that fires before an explicit opt-in consent signal (in a GDPR/ePrivacy-scoped jurisdiction) as HIGH — prior consent is required before non-essential storage or access.
• Treat a consent banner with no reject control, or a reject control that takes more clicks or less visual weight than accept, as HIGH — non-symmetric choice is a recognized dark pattern and invalidates consent.
• Treat pre-ticked consent checkboxes or "consent by continued browsing / scrolling" as HIGH — neither is freely given, specific, informed, and unambiguous consent.
• Treat the absence of a "Do Not Sell or Share My Personal Information" link or an equivalent opt-out preference signal path (Global Privacy Control honoring) as HIGH for sites serving California or other opt-out-regime traffic.
• Treat Google Consent Mode left in its default-granted state, or implemented without wait_for_update, as HIGH — tags transmit before the consent decision is captured.
• Treat trackers observed in the tag container that are not disclosed in the cookie policy or consent vendor list as HIGH — undisclosed processing has no lawful basis.
• Flag a single global consent toggle with no per-purpose granularity (analytics vs advertising vs personalization) as MEDIUM — purpose-bundled consent is not specific.
• Flag consent records with no retention of timestamp, scope, and consent-string version as MEDIUM — without a consent record the controller cannot demonstrate compliance.
• Flag advertising tags that send data to ad networks in non-EEA jurisdictions with no referenced transfer mechanism as MEDIUM.
• Do not recommend disabling a tag without naming the marketing measurement it supports and the residual attribution loss.
• Label every finding with evidence basis: configuration provided, policy text provided, documentation-based, or inference from missing config.

References

Load these only when needed:

• Workflow and output contract — use when executing the full review or formatting the final answer.

Response minimum

Return, at minimum:

• Consent-gating findings (tags firing before the consent signal)
• Banner design assessment (symmetry, granularity, dark-pattern checks)
• Opt-out / Global Privacy Control path assessment
• Consent Mode / tag-manager wiring findings
• Tracker-to-policy disclosure gap list
• Cross-border transfer assessment
• Severity-labelled finding list (critical / high / medium / low)
• Safe next actions