How to interpret Privacy Sniffer findings

APR 2026 · NOTE

Privacy Sniffer flags signals that may indicate tracking before valid consent. It is a technical indicator, not a final legal assessment. Below is a practical interpretation guide.

1) What counts as a “pre-consent” signal?

• Network traffic to common analytics/ads endpoints before an “Accept”.
• Client storage writes (cookies/localStorage) that appear tracking-related before opt-in.
• CMP dark pattern (e.g., hiding reject) — a risk indicator that needs manual review.

2) Evidence: what to capture

• Full request URL + timestamp + method.
• Banner screenshot + click-path (accept/reject/settings).
• Export relevant logs (first requests before interaction).

3) Quick triage: severity vs false positives

Watch common false positives: purely functional endpoints, A/B testing without profiling, or analytics that only fully activates after consent. The core question is whether there is access to end-user equipment or personal data processing without prior valid consent / lawful basis.

4) Follow-up actions

• Re-scan with cleared cache + a fresh session.
• Check whether “reject” is as easy as “accept” (ACM guidance).
• Compare policy disclosure against actual network behavior.

Sources

• Telecommunicatiewet — includes art. 11.7a (consent for storage/access to end-user equipment)
• ACM — Cookies plaatsen (tracking cookies require consent; pre-ticked choices prohibited)
• GDPR (EU) 2016/679 — EUR-Lex