A digital marketing agency’s own site
An agency running its own analytics the way it would set up a client’s, audited the same way any client site would be. Company name, domain and exact figures have been removed. What’s below is real.
An agency running its own analytics the way it would set up a client’s, audited the same way any client site would be. Company name, domain and exact figures have been removed. What’s below is real.
The system that controls every tracking tool on the site, Google Tag Manager, wasn't available for review. Without it, there was no way to confirm whether the site's analytics and advertising tools wait for a visitor's cookie consent before collecting data, which UK and EU privacy law requires. Two advertising accounts were linked with audience personalisation switched on, so this wasn't a theoretical gap: real visitor data was flowing somewhere that couldn't be checked.
Visitor data was being shared with linked advertising accounts and used to personalise which ads those visitors saw. That's only permitted once a visitor has actively opted in. Whether the consent signal was being captured and passed correctly couldn't be confirmed until the container itself was reviewed, so this stayed an open question rather than a resolved one.
No filter was in place to exclude the business's own staff and developers from analytics. On a lower-traffic site, that matters more than people expect: a handful of internal visits browsing the site during the working week is enough to visibly shift session counts, page views and conversion rates away from what real prospects were actually doing.
The site was recording file downloads, brochures and resources visitors were actually engaging with, but this wasn't set up as a tracked goal. That meant a real form of engagement never showed up in conversion reporting, and the marketing activity driving those downloads had no way to get credit for it.
The advertising account was linked to analytics, but zero audiences had been built from it. Audiences are what let a business retarget people who've already shown interest, or build lookalike targeting from its best visitors. With the connection already in place, this was a gap that cost nothing to close.
✓Lead tracking was correctly configured and recording enquiries as a goal.
✓The attribution model was set to data-driven, spreading credit fairly across the channels that contributed to each lead rather than defaulting to last click.
✓Data retention was set to the maximum available window, keeping enough history for year-on-year comparison.
✓Enhanced measurement was switched on, automatically capturing scroll depth, outbound clicks and form interactions.
This came from a normal two-minute audit, no manual digging. Your first audit is free.
Run a free audit →If consent architecture is the open question on your own setup, the consent mode audit guide covers what a full review checks. More real audits are at Case studies.
The audit needed access to the Google Tag Manager container to check how each tag is configured, specifically whether tags wait for a consent signal before firing. Without that container, an auditor can see that consent tools exist but can't confirm they're actually gating the tags that need them.
A filter excluding staff and developer visits matters on any site, but the effect is proportionally larger where total traffic is lower. A dozen internal visits are a rounding error against ten thousand monthly sessions, but a meaningful share of the total against a few hundred.
Not in how it's run, an audit doesn't distinguish between an agency's own site and a client's. The value is that an agency ends up seeing its own setup held to the same standard it applies to clients, which is where gaps like this one usually surface.