What this service is
The CMP service assesses whether a client’s website properly controls which cookies and tracking scripts fire before, during, and after a user provides consent. Most websites—even those with a visible cookie banner—are out of compliance: trackers fire before consent is given, reject buttons are buried or absent, and privacy documentation is incomplete or inaccurate.
Northwoods has built an advanced agentic scanning tool that automates this entire assessment. It inventories every cookie and tracking script, tests the consent mechanism, verifies privacy documentation, and produces a scored compliance report with a prioritized remediation plan—all without manual effort from the specialist.
Why clients care: GDPR fines reach €20M or 4% of global annual revenue. CCPA/CPRA penalties run up to $7,500 per intentional violation. ADA-style lawsuits targeting cookie consent are increasing. Most clients have no idea what’s firing on their site before a user clicks “Accept.”
E
Eric / Gerry
CMP Practice Lead — Privacy & Consent Management
Eric recently was assigned the task of growing the CMP practice at Northwoods and has starting overseeing the Gerry's agentic assessment tool built by Gerry in Q4-25 and Q1-26. He is one of the subject matter experts for client-facing compliance questions, audit methodology, and remediation guidance. For L/XL engagements, Eric will lead the consulting conversation and the remediation planning session. A public-facing Quick Scan variant is currently in final development.
Service tiers — S / M / L
S — Quick Scan
Quick Scan
Free
Self-serve • Homepage only • ~30 seconds
- ✓ CMP vendor detected
- ✓ Cookie banner present
- ✓ Reject / Decline button present
- ✓ Cookie count (first-party vs. third-party)
- ✓ Pre-consent tracking detected
- ✓ Privacy policy link present
- ✓ Overall compliance level estimate
Scope: Homepage • Agentic: Yes • No account required
M — Review
Detailed Scan
~$200
Email-gated • Homepage + key pages • Agent-generated
- ✓ Everything in Quick Scan
- ✓ Full 5-level compliance score
- ✓ Complete cookie inventory table
- ✓ Tracking script detection (GTM, GA4, HubSpot…)
- ✓ Consent Mode v2 implementation check
- ✓ SRI (Subresource Integrity) coverage
- ✓ Cookie policy & DSAR documentation check
- ✓ Remediation summary
Scope: Homepage + 5–10 pages • Agentic: Yes • Delivered via branded report
L — Full Audit
Full Audit
$$$
Scoped engagement • Full site • Agent + Eric review
- ✓ Everything in Detailed Scan
- ✓ Manual GPC signal testing
- ✓ Geographic consent behavior analysis
- ✓ Attribution cookie tracking (gclid, utm…)
- ✓ Campaign parameter simulation
- ✓ Prioritized remediation plan (HIGH / MED / LOW)
- ✓ Draft client outreach email
- ✓ Expert consultation with Eric
- ✓ Quarterly audit scheduling
Scope: Full site • Agentic + Eric review • Retainer entry point
What the agent checks
| Check | Quick Scan | Review | Full Audit |
|---|---|---|---|
| Consent Mechanism | |||
| CMP vendor identified (OneTrust, Termly, Cookiebot…) | ✓ | ✓ | ✓ |
| Cookie banner present on first visit | ✓ | ✓ | ✓ |
| Reject / Decline All button available | ✓ | ✓ | ✓ |
| Pre-consent tracking prevention | ✓ | ✓ | ✓ |
| Rejection persistence across page reloads | — | ✓ | ✓ |
| Consent preference cookie correctly stored | — | ✓ | ✓ |
| Consent Mode v2 update events | — | ✓ | ✓ |
| GPC (Global Privacy Control) signal handling | — | — | ✓ |
| Geographic consent behavior (VPN simulation) | — | — | ✓ |
| Cookie & Tracking Inventory | |||
| Total cookie count (first-party vs. third-party) | ✓ | ✓ | ✓ |
| Cookie inventory table (name, category, duration, flags, source) | — | ✓ | ✓ |
| Tracking script detection (GTM, GA4, HubSpot, Meta Pixel…) | — | ✓ | ✓ |
| SRI (Subresource Integrity) coverage on external scripts | — | ✓ | ✓ |
| Attribution cookie tracking (gclid, utm parameters) | — | — | ✓ |
| Campaign parameter simulation (Google, Meta, LinkedIn) | — | — | ✓ |
| Privacy Documentation | |||
| Privacy policy present and accessible | ✓ | ✓ | ✓ |
| Cookie policy present | — | ✓ | ✓ |
| DSAR (Data Subject Access Request) process documented | — | ✓ | ✓ |
| Explicit GDPR / CCPA regulatory references | — | ✓ | ✓ |
| Scoring & Remediation | |||
| Compliance level estimate (1–5) | △ | ✓ | ✓ |
| Prioritized remediation plan (HIGH / MED / LOW) | — | △ | ✓ |
| Expert review & consulting with Eric | — | — | ✓ |
✓ Included △ Partial / estimated — Not included
The 5-level compliance framework
Every assessment produces a compliance level from 1 to 5. This gives clients a clear benchmark, a gap to close, and a basis for measuring progress over time.
1
Initial
Ad hoc. No formal consent process. Trackers fire freely.
2
Developing
Basic banner present. Implementation incomplete or inconsistent.
3
Defined
Documented process. Consistent implementation across key pages.
4
Managed
Measured & monitored. Near-compliant. Minor gaps remain.
5
Optimized
Continuous improvement. Fully compliant. Documented & audited.
Example: a Level 4 client has one level to close — the assessment report shows exactly what stands between them and Level 5.
Sample output — Quick Scan
This is representative of what a prospect sees when they run a free scan of their homepage on the NWS website.
NWS-360 — CMP Quick Scan Result
Quick Scan • Free
Scanned: www.example-client.com — April 1, 2026 — Homepage only
CMP Vendor Detected
Termly
Cookie Banner Present
Yes
Reject / Decline All Button
Buried in preferences
Pre-Consent Tracking
3 trackers fire before consent
Cookie Count
15 total — 11 first-party, 4 third-party
Privacy Policy Link
Present
Estimated Compliance Level
3 / 5 Defined
What happens next: The prospect enters their email to receive a link to the full Detailed Scan (~$200). The Quick Scan result is sent immediately with a CTA to learn what the 3-tracker pre-consent finding means for their legal exposure.
Sample output — Remediation plan (Full Audit)
The Full Audit produces a prioritized action list with complexity ratings, dependencies, and regulatory rationale. Example below is based on a real assessment.
High
Add GPC / CCPA disclosure to privacy policy
Regulatory requirement under CCPA/CPRA for California visitors. Absence is an auditable gap. Complexity: Low — copy edit only.
30 days
High
Investigate malformed GA4 Measurement ID in page HTML
A misformatted ID (
30 days
G-1PHILADELPHI) suggests data is not reaching Google Analytics. All conversion tracking may be broken. Complexity: Medium — dev change required.
High
Verify Consent Mode v2 update events are firing correctly
Required for Google Ads conversion modeling under consent frameworks. Without this, campaign ROI data is unreliable. Complexity: Medium — GTM configuration.
30 days
Medium
Implement SRI hashes for 4 external scripts
0% SRI coverage on external scripts is a supply-chain security risk. If a CDN is compromised, malicious code runs on every visitor’s browser. Complexity: Medium — dev change per script.
90 days
Medium
Simplify reject flow to single-click option
Current implementation buries “Decline All” inside the preference center. GDPR requires that rejecting consent be no harder than accepting it. Complexity: Low — CMP configuration.
90 days
Deliverables by tier
| Tier | What the client / prospect receives | Format | Who produces it |
|---|---|---|---|
| S — Quick Scan | 6-signal scorecard with compliance level estimate and email CTA | On-screen result + email summary | Agent (fully automated) |
| M — Review | Full compliance assessment report: cookie inventory, tracking script map, compliance level (1–5), SRI coverage, remediation summary | Branded HTML report (Hayden / Lovable) | Agent → Hayden (polish) |
| L — Full Audit | Comprehensive audit report + prioritized remediation plan (HIGH/MED/LOW with timelines) + draft outreach email + quarterly audit schedule + consulting session with Eric | Branded HTML report + consulting call | Agent → Hayden (polish) → Eric (consult) |
How this service is delivered today
Step 1
Agent Scans
Gerry’s agentic tool runs the full CMP assessment against the client’s site. Produces raw structured report.
Gerry — Agent tooling
Step 2
Raw Report
Structured HTML report output at the assessments API endpoint. Contains all findings, cookie inventory, and remediation plan.
Automated
Step 3
Polish & Brand
Hayden takes the raw report into Lovable and produces the client-facing branded version with visual design and formatting.
Hayden — Lovable
Step 4
Client Delivery
Branded report shared with client. For Full Audit engagements, Eric leads a consulting session on the remediation plan.
Eric — CMP Lead
Coming soon: A public-facing Quick Scan variation is nearly complete and will be available directly on the NWS website. Prospects will be able to scan their own homepage for free, with no friction, as the top-of-funnel entry point for the NWS-360 program.
Features & benefits
What makes this service distinctive
- Fully automated agentic scanning — no manual setup per client
- 5-level compliance framework gives clients a benchmark and a clear target
- Cookie inventory down to name, category, duration, flags, and source
- GPC signal testing goes beyond what most agencies check
- SRI coverage analysis surfaces supply-chain risk most clients don’t know exists
- Remediation plan is prioritized by urgency, complexity, and regulatory exposure
- Branded client report produced by Hayden in Lovable — visually polished
- Draft client outreach email included in Full Audit deliverable
- Legal references (GDPR, CCPA/CPRA, ePrivacy) built into every finding
- Works on any CMS — Titan, WordPress, HubSpot, custom builds
Client benefits
- Understand exactly what is tracking their users, and when, before a regulator does
- Reduce legal exposure from GDPR, CCPA/CPRA, and ePrivacy violations
- Fix the reject-button problem before it becomes a lawsuit or a fine
- Get a clear, phased remediation roadmap — not just a list of problems
- Quarterly audit cadence keeps compliance current as regulations and CMPs evolve
What the client-facing report looks like
After the agent produces its raw assessment, Hayden takes the structured output and renders a polished, branded client report using Lovable. The following images are taken directly from a real Northwoods CMP report delivered to a client.
Workflow reminder: Raw agent output → Hayden (Lovable) → branded HTML report → shared with client. For Full Audit engagements, Eric reviews and leads a consulting session before delivery.
Cover — Score & Metadata
What the client sees first: A risk score out of 100 with a plain-language rating (e.g., “Critical Gaps”), the number of items assessed, their domain, CMS platform, consent platform, analytics configuration, and total cookie count — all pulled automatically by the agent.
Compliance Status — Item-by-Item Findings
Every check is explained in plain language. Each item receives a status (Compliant / Non-Compliant / Partial) with a specific note describing exactly what the agent found — including the script names, cookie names, and technical reasons behind each finding.
Compliance Level — 1–5 Framework
The compliance level visual shows the client exactly where they are today, where they need to be, and how many levels separate them from the target. This becomes the benchmark all future assessments measure against.
Remediation Roadmap — Prioritized Steps
Each remediation step is actionable, not generic. Steps are numbered, prioritized (HIGH / MEDIUM), and include complexity ratings, what they depend on, and the specific regulatory article that requires the fix — so the client can assign work immediately and defend decisions internally.
Critical Compliance Issues — Evidence
Critical issues include evidence. The report names the specific cookies and scripts involved, shows the actual values found (e.g., cookie names, parameter strings), and cites the applicable regulation — providing everything needed for a developer to act or a legal team to assess exposure.
Summary of Findings & Recommended Path Forward
The summary is written for stakeholders. One section shows the current state in a single sentence, lists the critical issues at a glance, and states the recommended path forward — designed to be shared with a client’s leadership team without additional explanation.