When a data protection authority opens an investigation, compliance evidence determines the outcome. A signed checklist tells them you had a process. A HAR file showing third-party tracking requests fired 200 milliseconds after a user rejected cookies tells them what actually happened.
Most compliance audits still rely on manual reviews and self-assessments. An auditor visits a website, clicks around, takes a few screenshots, and writes a report. The result is a snapshot of one moment in time, filtered through one person's judgment. Regulators have seen enough of these to know they prove very little.
GDPR accountability requires demonstrable proof
GDPR Article 5(2) creates the accountability principle: controllers must be able to demonstrate compliance with data protection principles. Article 24 reinforces this. Controllers must implement appropriate measures and be able to demonstrate that processing is performed in accordance with the regulation.
The word 'demonstrate' is doing heavy lifting. A checklist demonstrates that someone filled out a form. A forensic recording of browser behavior demonstrates what your website actually does when a user interacts with it.
Under GDPR Article 58(1)(a), supervisory authorities have the power to order controllers to provide any information required for the performance of their tasks. Forensic evidence answers their questions before they ask them.
Browser session recordings: a DVR for compliance testing
Vakteye captures replayable browser session recordings during every consent test. These are .zip files that record every browser action: page load, banner rendering, click events, cookie changes, and network requests, all timestamped and linked.
The recordings are viewable in an open-source trace viewer. Your DPO, your legal team, or a regulator can replay the exact sequence of events. They see what the scanner saw, in the order it happened.
This matters because consent violations are sequential. A cookie banner appearing is not the issue. The issue is what happens after a user clicks reject. A session recording captures that entire sequence with millisecond precision.
HAR files: every HTTP request timestamped and categorized
HAR (HTTP Archive) files are the industry standard for recording browser network activity. Vakteye generates HAR 1.2 files with phase markers. Each request is tagged with the consent phase it belongs to: baseline, post-reject, or post-accept.
Phase marking is what separates a useful HAR file from a wall of network noise. When a regulator asks 'Did Google Analytics fire after the user rejected tracking?', a phase-marked HAR gives a direct, timestamped answer.
- Baseline phase: Network requests before any consent interaction
- Reject phase: Requests captured after the user rejects all non-essential cookies
- Accept phase: Requests captured after the user accepts all cookies
- Each request tagged with timestamp, domain, response status, and content type
The comparison between phases reveals the truth. If the same tracking endpoints appear in both the reject and accept phases, the consent mechanism is decorative.
Cookie diff snapshots: triple comparison that exposes violations
Vakteye takes three cookie snapshots during consent testing. The first captures baseline cookies before any consent interaction. The second captures cookies after the user rejects non-essential cookies. The third captures cookies after the user accepts.
The triple diff analysis compares all three states. Cookies present in the reject snapshot that match known tracking domains are violations. The user said no, and the website ignored them. Cookies that reappear after being deleted are zombie cookies, indicating evercookie techniques designed to circumvent user choice.
Zombie cookies (cookies that respawn after deletion) receive CERTAIN confidence in Vakteye's classification. Evercookie respawn is behavioral proof of non-compliance that requires no interpretation.
The smoking gun timeline: consent violations visualized
Raw evidence files are powerful but not immediately readable. Vakteye reconstructs a visual timeline from the HAR phase markers showing the exact sequence of events: banner appeared, user rejected, tracking cookie set, third-party request fired.
This timeline turns technical evidence into a narrative that non-technical stakeholders can follow. A DPO reviewing a scan result sees the story at a glance. A regulator sees a clear chain of events, not a raw data dump.
Forensic packages: evidence with integrity verification
For approved reviews, Vakteye generates a downloadable forensic package: a zip file containing all evidence artifacts from the scan. Each file in the package is hashed with SHA-256, and the manifest records every hash.
Integrity verification matters when evidence may be challenged. The SHA-256 manifest proves that no artifact has been modified after collection. The package is self-contained, and anyone can verify the hashes independently without access to Vakteye's systems.
- Browser session recording (.zip): full browser session replay
- HAR files: phase-marked network recordings for reject and accept flows
- Cookie diff snapshots: baseline vs reject vs accept comparison
- SHA-256 manifest: cryptographic integrity verification for every artifact
Why manual audits fall short
A manual audit captures state. A forensic recording captures behavior. The difference matters because consent violations are about sequences, not snapshots.
An auditor takes a screenshot showing a cookie banner is present. That proves the banner exists. It does not prove the banner works. It does not prove that rejecting cookies actually stops tracking. It does not prove that tracking scripts wait for consent before firing.
Regulators have caught on. The Dutch DPA's enforcement actions against cookie consent increasingly reference technical evidence: network logs, cookie behavior analysis, and request timing. A checklist from 2023 will not satisfy an investigation in 2026.
See evidence-backed scanning in action
Vakteye produces forensic compliance evidence for every scan: browser session recordings, HAR files, cookie diffs, and integrity-verified evidence packages.
Start your first scanFrom reactive to provable compliance
The shift from checklist compliance to evidence-based compliance is not optional. GDPR Article 5(2) requires it, and enforcement trends confirm it. Organizations that can produce forensic evidence of their compliance posture respond to investigations in days, not months.
The evidence collection is automated. Every Vakteye scan generates the same artifacts, every time. No manual steps, no judgment calls on what to capture. The result is consistent, reproducible proof that your consent mechanisms do what they claim.