Overview
A consent banner is only as useful as the tags that honor it. It's disturbingly common for a site to render a perfectly legal-looking CMP banner and then fire marketing pixels anyway, whether the user said yes, no, or nothing at all. Pulse's consent testing catches that disconnect by scanning the site in each relevant consent state and flagging tags that misbehave.
This matters beyond ideology: GDPR, the California consumer privacy laws, and ePrivacy enforcement all turn on whether tags actually respect the choices users make. A broken consent implementation exposes the business to fines and user trust damage. Pulse quantifies the gap so you can fix it before a regulator or an upset customer does it for you.
Understand the three passes
Pulse runs three separate browser sessions against your site. Pass 1 (Baseline) loads the site without interacting with the consent banner at all, which is how most first-time visitors actually experience the page. Pass 2 (Deny All) clicks the reject or deny button on the banner and observes what fires after that. Pass 3 (GPC) sends a Global Privacy Control signal to see whether the site honors the browser-level opt-out.
Each pass collects the full set of network requests, pixel calls, and cookie writes that occur during the visit. Running three separate sessions rather than manipulating state mid-session is important: many CMPs cache consent decisions, so testing requires fresh browser contexts to simulate distinct users.
Review consent violations
After the scan finishes, Pulse compares what fired in each pass against what should have fired given the consent state. A marketing pixel firing during Deny All is a violation. A remarketing script firing under GPC is a violation. The violations panel lists each offender with its URL, the pass it was caught on, and the consent category it violated.
The details panel also shows the screenshots captured during each pass, which are useful as compliance evidence. If you ever need to demonstrate to a regulator or internal auditor what the site looked like at consent-decision time, the screenshots plus the tag list form a defensible paper trail.
Check the scoring
Pulse scores consent enforcement out of 20 points. Each violation caught in the Deny pass costs 5 points, because a post-denial fire is the most severe failure. Each GPC violation costs 3 points. A score of 20 means every tag respected the user's choice across all three passes; a low score means the site is at meaningful regulatory risk.
The score is a summary number for dashboards and reports, but the violation list is where the actionable work lives. Use the score to prioritize which properties need attention and the violations to decide exactly what to fix.
Fix violations and re-scan
Each violation points at a tag that needs a consent trigger in GTM. For tags managed by AutoTag, the fix is usually enabling the relevant consent profile on the project, which regenerates the container with proper consent checks. For tags managed by hand in GTM, you'll need to attach consent conditions manually to the offending tags.
Once the fixes are deployed, re-scan to confirm compliance. Pulse scans are cheap to rerun, so iterate: fix a batch, scan, see what remains, fix the next batch. Most sites can get to 20/20 in one or two cycles.
The Deny pass is the most important one; tags firing after the user clicks reject are the most common compliance failure and the costliest in the scoring. Bot protection services sometimes interfere with scans, in which case Pulse displays a warning banner explaining the impact so you know the scan may be less complete than normal. Consent profiles configured in AutoTag are used to determine the expected consent behavior per tag, so keeping those profiles accurate pays off in the scan results.
Troubleshooting
Pulse reports violations but the tag looks correct in GTM
Check whether the tag's consent settings are set at the tag level or inherited from the container's default consent state. A tag with no explicit consent requirement inherits whatever the container default is, which may not be what you expect. Set the consent requirement explicitly on the tag and re-scan.
Scan fails to detect the consent banner
Bot protection (Cloudflare's Bot Fight, DataDome, PerimeterX) can serve a challenge page instead of the real site to headless browsers, which short-circuits the scan. Pulse surfaces a warning banner when it detects this. The fix is to allowlist Pulse's scan IP or user agent in your bot protection's configuration.
GPC pass shows no violations even though tags are firing
Many sites only honor GPC when a specific consent profile is active, or only treat GPC as a signal rather than a hard opt-out. Confirm the site's intended behavior in the consent spec before concluding the scan is wrong. If the site is configured to ignore GPC by design, the pass results will reflect that policy accurately.