Revenue Signal Audit · B2B Construction

Six Tracking Tools, Four Ad Networks, and a Consent Banner That Didn't Work

What a 20-minute external audit of one national self-storage builder turned up, using only data any visitor can see. Anonymized. Not legal advice.

Snapshot

Industry
Self-storage construction (B2B), national U.S.
Situation
Mainstream CMS, recently through a corporate acquisition, paid campaigns running on four ad networks.
What we looked at
Publicly visible, client-side data only. No account access. About 20 minutes.
What we found
A consent banner that contradicted the site's own code, session recording that started before any consent choice, and no conversion signal we could observe.
Why it matters
A legal exposure sitting in plain sight, and an ad budget being optimized toward clicks instead of customers.

This company was doing everything a serious marketer is supposed to do. Google Analytics 4, Google Ads, Meta, LinkedIn, Microsoft Ads, plus a session-recording tool. On paper, a modern stack.

In practice, three problems that any prospect, competitor, or plaintiff's attorney could see from the outside in about fifteen minutes. We saw them from the same chair, with no access to anything private.

What we found

01

The consent banner was theater

The site shows a cookie banner that promises, in writing, that if you decline, your information won't be tracked.

We loaded the site and opened the browser's network panel. Before clicking anything, analytics and advertising cookies from six platforms were already set, and a session-recording tool was already streaming data. We clicked Decline and reloaded. The session recorder kept running.

The banner makes a promise the code breaks on page load. It gets worse: the site's own footer uses a different consent model ("by using our site, you agree"), and the privacy policy claims to honor opt-out signals while the mechanism it points to doesn't appear to stop anything.

02

Session recording before consent, in a hard-enforcement state

The most aggressive tool on the site was a session recorder capturing mouse movement, scrolling, clicks, and potentially form input, firing before any consent choice. The company is headquartered in a U.S. state with some of the strictest consumer-privacy and wiretapping enforcement in the country, the kind that has driven a wave of lawsuits aimed at session-replay tools used without prior consent.

This is no longer messy analytics. It reads as standing exposure. It is exactly the kind of finding a company wants to hear from a consultant before it hears it from a court. (Not legal advice.)

03

They spend on ads and can't see what works

Six platforms, all installed client-side. The tag-management container existed but was empty. Every tag was hardcoded directly onto the page, with no data layer and no governance. Beyond a basic pageview and a remarketing ping, we couldn't observe any conversion event.

So they pay for Google Ads, Meta, LinkedIn, and Microsoft Ads, and from the outside there was no reliable way to tell which traffic becomes a lead. You can't optimize what you can't measure, so the budget flies blind.

Why does this cost them?

DimensionWhat it costs them
Legal & reputationalA non-functional consent flow plus session recording without opt-in reads as active liability in a high-enforcement state. A written promise the technology contradicts.
Wasted ad spendFour paid channels with no trustworthy conversion signal. Every dollar optimized toward clicks, not customers.
Privacy debtThe privacy policy is a generic template. It doesn't name the real tools in use, describes features the site doesn't have, and contradicts itself on whether data is sold.
Code rotA JavaScript library from 2016 with known vulnerabilities, a live script error in production, and an outdated ad tag using a soon-to-be-removed browser API. The fingerprints of a site nobody owns after an acquisition.

One more thing worth sitting with: none of this required access to their accounts. It was all visible to anyone with a browser. Which means it's also visible to their competitors.

What we'd fix, in priority order

  1. 01Make consent real. Route every tag through the tag manager, implement Consent Mode properly, hold non-essential tags until opt-in, and honor opt-out signals for real. Turn off session recording until there's a valid legal basis.
  2. 02Align the paperwork to reality. A privacy policy that names the actual tools, resolves the self-contradictions, and matches what the site does.
  3. 03Restore the conversion signal. A clean event layer (form submissions, qualified leads) feeding the ad platforms, so spend can be optimized to revenue instead of clicks.
  4. 04Clean up the rot. Update the legacy library and ad tags, fix the broken script, label the form fields.

So what's the result?

We don't promise numbers we can't stand behind, and an external audit can't measure a lift that hasn't happened yet. What it can do is surface the problem precisely, before it becomes expensive.

The pattern is consistent. Companies that fix broken consent remove a real legal exposure quickly. Companies that restore a conversion layer often find that a meaningful share of their "unattributed" traffic was converting all along, which is what finally lets them cut wasted spend and double down on what works.

The audit itself is the deliverable here: a clear, evidence-backed picture of what's broken and what it's costing, produced in under half an hour with no access to anything private.

How we found it

The Revenue Signal Audit is a fixed external protocol, no client access:

  1. 01Inventory. Every pixel and cookie, not just the Google ones, via the browser network panel and tracker-detection tools.
  2. 02Governance check. Tag manager versus hardcoded, duplication, empty containers.
  3. 03Consent test. What fires before the banner choice, and whether Decline actually declines, tested across geographies.
  4. 04Conversion-path test. Walk the lead form and watch whether a conversion actually fires.
  5. 05Code and performance. Console errors, legacy libraries, page speed in the field versus the lab.
  6. 06Public intelligence. Ad-library presence, traffic estimates, and the company's own privacy policy read against its real behavior.

Everything is cross-checked against the network panel, the one layer that can't be faked, and scored on a vendor-neutral severity model rather than a tool's self-serving grade.

The first audit is free. No access required.

We find out which number is telling the truth. Request your Revenue Signal Audit.

Request the free audit

FAQ

Findings are derived from publicly accessible, client-side data. Identifying details have been removed. References to privacy and wiretapping statutes illustrate risk categories and do not constitute legal advice; clients should consult qualified counsel.