GDPR Consent Mode consultant: legal-technical alignment and audit readiness

GDPR Consent Mode consultant: legal documentation alignment with technical setup, LIA, processing register, inspection preparation.

By Ron Kopelman, freelance analytics consultant — updated May 18, 2026

A GDPR-compliant Consent Mode v2 setup verifies that your technical configuration (CMP, GTM, tags, Consent Mode signals) and your legal documentation (LIA, processing register, privacy policy, DPA) tell the same story. In 70% of sites I audit, they diverge: legal documents describe marketing cookies loaded after consent, but code loads several before; the processing register lists 3 purposes, but GTM pushes 12; the LIA relies on legitimate interest while code uses consent. A GDPR inspection or user complaint reveals the gap and triggers a formal notice. My EU GDPR Consent Mode consultant fee: €1,800 for ~3 days, delivered in 2 weeks.

When this audit is urgent

Four signals that demand audit without delay:

You received a GDPR formal notice or user complaint. Intervention deadline: under 7 days.

An inspection is planned or rumored. If your sector is under regulatory focus (premium ecommerce, healthcare, media) and inspection is probable within 6 months, anticipate.

Recent CMP or Consent Mode change. Every migration creates risks of divergence between docs and code.

You’ve never audited your consent setup. If Consent Mode v2 deployed in 2024 and no one has reviewed since, audit is due.

Audit scope

Technical (1.5 days)

  • CMP: category configuration, banner design (refusal as easy as acceptance, GDPR-compliant), audit trail
  • GTM: tags loading before consent (always suspect), tags ignoring CMP mapping, Consent Mode signals (consent default first, consent update post-action)
  • Ad tags: Meta Pixel, Google Ads, LinkedIn, TikTok, Pinterest — each must be blocked until consent
  • Cookies: inventory of cookies actually set, duration, purpose, comparison with CMP declaration
  • LIA (Legitimate Interest Assessment): present, up-to-date, compliant with latest GDPR guidance
  • Processing register: consent processing mentioned, declared purposes, retention duration
  • Privacy policy: clear user information on Consent Mode usage (Basic or Advanced), recipients list, user rights
  • DPA (Data Processing Agreement) with Google, Meta, LinkedIn, other ad sub-processors

Alignment (0.5 day)

  • Coherence table between legal declarations and technical reality
  • Gap detection
  • Documentation update recommendations

Deliverable

PDF + shared Notion:

  • Tag inventory declared vs actual, with gaps
  • Cookie inventory declared vs actual
  • Consent Mode v2 audit (Basic or Advanced, signals, mapping)
  • Legal documentation audit (LIA, register, privacy policy, DPA)
  • Gap list classified by severity (critical/major/minor)
  • Prioritized action plan with code corrections and doc corrections separated
  • Inspection preparation checklist if applicable
  • LIA and register update templates as needed

Concrete cases

Premium ecommerce €5M revenue: audit following DPO change. 14 critical gaps detected (4 ad tags outside CMP, outdated LIA, inconsistent register). Corrections in 5 days, alignment validated.

Media with subscription: preventive audit following a CNIL inspection at a competitor. 8 major gaps detected, LIA + privacy policy + GTM corrections. Inspection preparation validated.

Public training institution: audit following user complaint about refusal compliance. 3 critical gaps (analytics cookies loading despite refusal). Corrections in 2 days, complaint response transmitted within 30 days.

Frequently asked questions

What happens during a CNIL inspection?

CNIL sends a letter listing points to verify (typically consent, retention duration, international transfers). Response deadline: 30 days typically, extensible on motivated request. If preventive audit done upstream, all elements are ready — response drafted in 2-3 days.

Can you represent my company before CNIL?

No, I’m not a lawyer. For CNIL litigation, I refer you to a specialized firm. I provide technical elements and proofs of proper functioning, the firm drafts the legal response.

If the audit reveals large gaps?

That’s the rule rather than the exception — 70% of sites have critical gaps. Audit produces an action plan and I can lead corrections as a complementary mission (typically 3-8 days depending on volume).

← Back to all facets of the analytics consultant trade

Need an analytics consultant?

Let's discuss your tracking, measurement and data needs. Free initial consultation, no commitment.

Book a call Voir les tarifs

Sans surprise : forfaits affichés en clair, devis validé avant kick-off, pas d'avenant.