VakteyeVakteye
VAKTEYE
SolutionsPlansAboutContactInsightsCareers
Sign In
Vakteye audit

IMY-style cookie banner audit, run before they ask

IMY's published enforcement decisions share a pattern: the company had a cookie banner and a privacy policy, but the banner's reject function did not actually stop tracking. Vakteye's audit reproduces the same category of behavioral test — click reject, observe the network, compare against what the policy promises — so the gap is found internally first.

Who it's for

  • Organizations that have received, or are worried about receiving, an IMY inquiry
  • Companies in sectors IMY has actively enforced against (retail, finance, media, health-adjacent services)
  • Legal and compliance teams preparing an evidence file ahead of a supervisory request

What Vakteye tests

  • Whether the reject flow behaves the same way IMY's technical investigators have tested in published decisions
  • Whether third-party marketing and analytics tags fire before any consent choice is made
  • Whether the privacy policy's stated third parties match the trackers actually observed on the site
  • Whether consent state is respected consistently across the pages a visitor is likely to browse

Legal basis

GDPR Article 5

The lawfulness, fairness, and transparency principle IMY's decisions consistently anchor findings to.

GDPR Article 6(1)(a)

Consent as a legal basis must be genuine — IMY decisions repeatedly find that a banner collecting "no" and tracking anyway fails this standard.

ePrivacy Directive Article 5(3) / LEK 9 kap. §28

The specific cookie-consent rule most IMY cookie-banner findings are grounded in, alongside GDPR.

Example finding

Marketing tag fires before any consent choice

What we observed

On first page load, before the banner has even been interacted with, a scan detects a third-party marketing tag setting cookies and sending a network request.

Why it matters

This is a pre-consent tracking pattern — the clearest form of the finding that recurs across IMY's published cookie-related decisions. It requires no interpretation; the network log shows it directly.

FAQ

No. Vakteye produces evidence-backed technical findings and legal-article context. Representation before a supervisory authority is a matter for your own legal counsel.

The category of technical test mirrors patterns visible in IMY's published enforcement decisions and EDPB guidance. Each finding in your report cites the specific article it relates to, not a specific case.

Fine tiers follow GDPR Article 83's published structure (up to EUR 20 million / 4% of global turnover for the higher tier). Vakteye does not predict a specific fine — that determination belongs to the supervisory authority.

Ready to see what your website actually does?

Book a full behavioral audit — the same methodology described above, run against your entire site with a complete evidence package.

Book a full audit
VakteyeVakteye
VAKTEYE

Website compliance checks for consent, policy, tracking and security. Vakteye shows what happened, what needs fixing and the evidence behind it.

Book demo
VakteyeVakteye
Privacy MonitoredContinuously monitored by Vakteye

PRODUCT

  • Plans
  • Trust center
  • Scanner identity
  • Security policy

COMPANY

  • About us
  • Contact
  • Insights
  • FAQ

LEGAL

  • Privacy Policy
  • Terms of Service
  • Cookies Policy
  • Sub-processors
  • Data Rights (GDPR)
  • For visitors

Contact

  • info@vakteye.com
  • LinkedIn

© 2026 Vakteye. All rights reserved.