We build ComplyTest, an open-source compliance scanner with 47 rules across consent, accessibility, security, and transparency. We also build Complicer, a SaaS platform on top of it.
We asked a simple question: do compliance tools pass their own compliance checks?
We scanned four of the biggest names in the space. The answer is no.
Methodology
ComplyTest runs 47 automated checks in 4 categories:
- Consent (11 rules): Cookie behavior before/after consent, banner design, visual parity, Google Consent Mode, and our killer feature — consent effectiveness testing. We click "Reject All" and verify that trackers actually stop firing.
- Accessibility (16 rules): WCAG 2.2 AA coverage including color contrast, heading hierarchy, ARIA validation, skip navigation, target sizes, and landmark regions.
- Security (14 rules): HTTP security headers (CSP, HSTS, X-Frame-Options), cookie security flags, Subresource Integrity, and CSP quality grading.
- Transparency (6 rules): Privacy policy, terms of service, data controller identification, contact information, and complaint mechanism.
All scans were performed on March 19, 2026, using Playwright with a real Chromium browser. No shortcuts, no synthetic data.
The Scorecard
| Site | Score | Consent | Accessibility | Security | Transparency |
|---|---|---|---|---|---|
| Cookiebot | 64% (30/47) | 6/11 | 14/16 | 5/14 | 5/6 |
| Deque | 62% (29/47) | 4/11 | 16/16 | 3/14 | 6/6 |
| OneTrust | 60% (28/47) | 5/11 | 13/16 | 4/14 | 6/6 |
| Monsido | 60% (28/47) | 3/11 | 15/16 | 5/14 | 5/6 |
No site scored above 64%. Three out of four scored 60% or below. The highest individual category score belonged to Deque on accessibility: a perfect 16/16. The lowest belonged to Monsido on consent: 3/11.
Cookiebot — 64% (30/47)
What they claim: "The most used solution for compliant use of cookies." Google Gold Tier CMP Partner. 13,000+ pre-categorized trackers. Serves 2.4 million websites.
What we found:
- Sets cookies before consent — the very thing their product exists to prevent.
- Accept/Reject buttons lack visual parity — the Accept button is visually more prominent than Reject, a dark pattern that GDPR guidance explicitly warns against.
- Google Consent Mode defaults not configured — despite being a Google Gold Tier partner.
- No skip navigation link — accessibility basics missing.
- Buttons below 24×24px minimum — WCAG 2.2 target size failures (16×19px measured).
- CSP quality: Grade F — no meaningful Content Security Policy in place.
Cookiebot scored the highest of the four, which is worth acknowledging. Their consent structure is better than most. But the consent management company still can't fully manage its own consent.
OneTrust — 60% (28/47)
What they claim: "The AI-Ready Governance Platform." Named Leader in 2025 IDC MarketScape. Trusted by Walgreens, Atlassian, Adobe, Pfizer, and Samsung.
What we found:
- 2 cookies set before consent — a direct violation of GDPR's prior consent requirement.
- 12 cookies exceed the 12-month expiration limit — against CNIL and ICO published guidelines.
- Accept/Reject visual parity failure — the same dark pattern as Cookiebot.
- Still running Google Consent Mode v1 — v2 has been required since March 2024, over two years ago.
- No Content-Security-Policy header — the world's largest privacy platform has no CSP.
- 5 cookies missing the Secure flag — basic cookie security absent.
OneTrust's consent scores (5/11) reflect an organisation that has not applied its own product rigor to its own marketing site. The Google Consent Mode failure is particularly notable: v2 became mandatory two years ago, and OneTrust sells GCM configuration as a feature.
Monsido — 60% (28/47)
What they claim: "Optimize Content for Accessible Websites." WCAG 2.1 AA compliance scanning. GDPR consent management (available as an add-on). Now part of Acquia.
What we found:
- No Reject button at all — the consent banner offers no way to refuse cookies. This is a clear GDPR violation under CJEU case law (Planet49, C-673/17).
- 13 non-essential cookies + 2 third-party cookies loaded before consent — the worst pre-consent cookie behavior of all four competitors.
- Banner uses complex legal jargon — fails the GDPR requirement for clear and plain language.
- Google Consent Mode not configured — despite Google Tag Manager being present on the page.
- No Terms of Service link — a basic transparency gap.
Monsido scores the lowest on consent (3/11) despite selling consent management as a product feature. The absence of a Reject button is not an edge case or a misconfiguration — it is a structural GDPR violation, and it is on their homepage.
Deque — 62% (29/47)
What they claim: "Digital accessibility done right." Forrester Wave Leader. axe-core, with 3 billion+ downloads. "Zero false positives." 8,000+ accessibility audits completed.
What we found:
- Perfect 16/16 on accessibility — Deque absolutely walks the talk here. Every WCAG 2.2 AA check passed. No color contrast failures, no missing ARIA labels, no target size issues.
- 12 cookies set before consent — tied with Monsido for the worst pre-consent cookie count.
- Analytics requests continue after clicking Reject — consent enforcement failed. This is our most important test: we click Reject All, then monitor network traffic to verify that analytics and tracking requests stop. Deque's site continued sending analytics data after rejection.
- 13 cookies missing the Secure flag — basic cookie security absent across the board.
- HSTS max-age of only 300 seconds — effectively useless. The recommended value is 31,536,000 (one year). 300 seconds means HSTS protection lapses every five minutes.
Deque's accessibility score is the best result in our entire test. Their consent posture is among the worst. They do not sell consent management tools, but they are still responsible for GDPR compliance on their own site — and on that measure, they fall short.
What This Means
Every compliance tool we tested fails its own compliance standards.
This is not a gotcha exercise. It is a data point about how the industry works. Each company excels in the domain they sell: Deque aces accessibility, Cookiebot has the most coherent consent structure, OneTrust and Monsido have reasonable transparency scores. But nobody is checking the full picture. Consent teams do not own security headers. Accessibility teams do not audit cookie behavior. The result is a fragmented compliance posture that looks good in demos and fails in practice.
This is exactly the problem ComplyTest was built to solve: a single scanner that checks consent, accessibility, security, and transparency in one pass, against a fixed ruleset, using a real browser. No cherry-picking, no category silos.
And it is the problem Complicer is built to fix downstream — taking those scan results and turning them into prioritised remediation, AI-assisted classification, and regulator-ready evidence packages.
The compliance tools themselves are not bad products. But compliance is not just what you sell. It is also how you operate.
Try It Yourself
ComplyTest is open source. Run it against any website:
npx complytest scan https://your-site.com
47 rules. 4 categories. Real browser testing. No signup required.
Want automated monitoring, AI-powered classification, and regulator-ready evidence packages? That's what Complicer does.