Consent gating needs review — tags may fire before the required consent state
https://demo-shop.example.com
Measurement trust is weak (58/100). Evidence used: GTM export, GA4 event CSV, acquisition CSV. Missing evidence is labeled as Needs More Data or Not Checked.
Reporting Confidence
Medium
GA4 events are firing, but purchase reliability cannot be confirmed because transaction_id coverage is incomplete.
Revenue Risk
High
Revenue Trust: GA4 purchase events have parameter gaps and backend reconciliation is not available.
Attribution Risk
High
Attribution Risk: UTM loss and payment gateway referral risk can understate paid performance.
Consent Risk
Critical
Consent Mode v2 Quality: default denied and update behavior are not confirmed.
How measurement appears to be installed
This traces the measurement path from website stack to GA4 data. Each layer is evidence-based, so missing uploads are marked as needing data instead of guessed.
Website stack
Shopify signals were detected.
Plugins/apps: Elevar (Shopify)
GTM / GA4 load
No obvious GTM placement delay was detected.
Sources: GTM snippet in HTML, Uploaded GTM container export; install: hardcoded; position: head-top
Consent gate
OneTrust detected.
OneTrust
Event implementation
Upload GTM export and GA4 event CSV to compare configured tags against received events.
GTM/export and event sample comparison
GA4 data received
GA4 event quality needs an event-level CSV or runtime evidence.
Event CSV / runtime evidence
Revenue / outcome trust
Backend order export is needed to prove revenue accuracy.
Backend orders not uploaded
- →Upload GTM JSON + GA4 event CSV to compare configured tags against events actually received by GA4.
- →Upload backend orders CSV to reconcile GA4 revenue against real orders.
- →Use the Chrome extension evidence export to capture live dataLayer, consent, and journey events.
- →Upload a tracking plan CSV to separate real gaps from intentional custom event names.
Add evidence to unlock stronger root cause analysis
Current findings stay honest when evidence is missing. These uploads will turn risk flags into confirmed tag, event, and revenue diagnostics.
Unlocks revenue reconciliation: missing orders, extra GA4 orders, duplicate transactions, and revenue mismatch.
Separates true missing events from intentional custom names like enquiry_submitted or whatsapp_click.
Captures live dataLayer events, Consent Mode state, and journey timing that static crawl cannot prove.
Category score breakdown
Measurement Trust Score by evidence area.
2 issues affected this category score.
1 issue affected this category score.
1 issue affected this category score.
2 issues affected this category score.
Backend reconciliation was not supplied.
Purchase parameter gaps affected trust.
Monitoring readiness is not checked in this sample report.
Biggest risk area: Consent · Strongest: Website
P0/P1 priority fixes
Fix Plan
6 issues · prioritised by impact
Critical issues causing data loss or compliance risk right now
Consent Mode v2 default state is not set in GTM. Tags that process personal data (GA4 Configuration, Google Ads) have no consent requirements configured. Tags may fire before the user accepts or declines cookies.
- Not found in GTM container
- Not found in GTM container
- OneTrust script present on page
UTM parameters are stripped on 3 internal navigation paths. Visitors arriving via paid campaigns lose attribution when navigating to product pages or the cart.
- https://demo-shop.example.com/products → loses utm_source
- https://demo-shop.example.com/cart → loses all UTM params
- https://demo-shop.example.com/collections/sale → loses utm_campaign
Fix Impact Simulator
Estimated score lift by resolving the highest-priority issues. Not a guarantee.
P0/P1 estimate
Fix all P0 and P1 issues to increase score from 58 to approximately 84. This is an estimate, not a guarantee.
Owner: GTM Specialist
Owner: Developer
Owner: Developer
Owner: GTM Specialist
Owner: Marketing
Owner: Developer
Evidence table
What the audit could prove from the URL scan and uploaded files.
| Issue | Category | Evidence | Confidence |
|---|---|---|---|
| Consent Mode v2 implementation | Consent | Consent default command: Not found in GTM container | Confirmed |
| Consent Mode v2 implementation | Consent | Consent update command: Not found in GTM container | Confirmed |
| UTM parameter retention | Attribution | Page crawl: links that strip UTMs: https://demo-shop.example.com/products → loses utm_source, https://demo-shop.example.com/cart → loses all UTM params, https://demo-shop.example.com/collections/sale → loses utm_campaign | Confirmed |
| UTM parameter retention | Attribution | Affected session types: Paid Search, Paid Social, Email | Confirmed |
| Duplicate event detection | Event Data | Duplicate event stats: event=add_to_cart, affected_sessions=23%, duplicate_count=1847 | High Risk |
| Duplicate event detection | Event Data | Conflicting triggers: Click trigger (all elements, .add-to-cart) + Visibility trigger (product-atc-btn) | High Risk |
| Missing ecommerce parameters | Event Data | Missing parameter rates: coupon=41% missing, shipping=41% missing, item_variant=100% missing | Confirmed |
| UTM source/medium naming quality | Attribution | Mixed-case medium values: email (n=1,204), Email (n=832), EMAIL (n=147) | Confirmed |
| Cross-domain and payment gateway attribution risk | Website | Finding type: Risk detected — not a confirmed issue. Confirm in GA4 DebugView. | High Risk |
| Cross-domain and payment gateway attribution risk | Website | External domains detected in crawl links: checkout.demo-shop.example.com, stripe.com/checkout | High Risk |
Recommended next steps
A practical handoff for analyst, developer, marketing, legal, or platform owners.
- 1
Consent Mode v2 implementation
Add a Consent Initialization trigger in GTM. Add gtag('consent', 'default', {...}) before all other tags fire. Add gtag('consent', 'update', {...}) on the CMP accept/decline callback. Set consent requirements on GA4 and Ads tags.
Suggested owner: GTM Specialist
- 2
UTM parameter retention
Audit all internal link components for UTM preservation. Use GA4 session-based attribution (which is the default) and confirm it is not being overridden. Add the UTM parameters to your internal link builder or use GTM to persist them in sessionStorage.
Suggested owner: Developer
- 3
Missing ecommerce parameters
Update the purchase data layer push to include coupon, shipping, and tax. Add item_variant to all product data layer pushes (view_item, add_to_cart, purchase).
Suggested owner: Developer
- 4
Duplicate event detection
Review add_to_cart tag triggers in GTM. Remove the element visibility trigger or add a trigger exception to prevent double-firing. Use GTM Preview to confirm only one hit fires per click.
Suggested owner: GTM Specialist
Limitations of this audit
Things that constrained what the engine could verify in this run.
- GTM JSON not provided — container analysis is partial (based on crawl detection only for some checks).
- GA4 event CSV not provided — event quality checks are based on crawl signals only.
- User Acquisition CSV not provided — paid channel attribution checks are unavailable.