https://kokkeloren.no/
Severe privacy issues requiring immediate attention
41
Trackers Found
15
Cookies
122
Network Requests
7.9s
Load Time
This Norwegian meal kit website has serious GDPR compliance violations that create immediate legal liability. The site is tracking all visitors before consent through multiple US-based services (Snapchat, Google, Microsoft Clarity), secretly recording visitor behavior, and using invasive fingerprinting techniques. While the site has CookieBot infrastructure in place, it's misconfigured and allows extensive tracking without proper consent mechanisms.
Critical Actions:
Detail
Found 13 tracking cookie(s) and 7 tracking request(s) BEFORE any consent interaction. This is the most common GDPR violation.
Remediation
Configure CookieBot to block all non-essential cookies and tracking scripts until after consent is given. Ensure Google Tag Manager and other tracking tools are configured with 'consent mode' to prevent loading before consent.
Legal Reference
GDPR Art. 6 & ePrivacy Directive Art. 5(3)
Raw Data
{
"tracking_cookies_before_consent": 13,
"tracking_requests_before_consent": 7
}Detail
The consent banner has no visible 'reject' or 'decline' button. Under GDPR, rejecting cookies must be as easy as accepting them.
Remediation
Add a prominent 'Reject All' or 'Decline' button to your CookieBot consent banner configuration. The reject option must be equally visible and accessible as the accept button.
Legal Reference
GDPR Art. 7(3) & Planet49 ruling
Raw Data
{
"reject_button_found": false
}Detail
Found CookieBot CMP (CookieBot (Usercentrics)) loading from https://consent.cookiebot.com/722d4d5b-d6d6-4159-8ee4-e23e6a44b532/cc.js?renew=false&referer=kokkeloren.no&dnt=false&init=false. Purpose: Cookie consent management platform.
Remediation
Ensure CookieBot is configured to block all non-essential tracking until consent is given, and that the consent banner includes proper reject options.
Legal Reference
GDPR Art. 25 (data protection by design)
Raw Data
{
"vendor": "CookieBot (Usercentrics)",
"purpose": "Cookie consent management platform",
"category": "consent",
"script_src": "https://consent.cookiebot.com/722d4d5b-d6d6-4159-8ee4-e23e6a44b532/cc.js?renew=false&referer=kokkeloren.no&dnt=false&init=false",
"gdpr_concern": "Consent management tool.",
"tracker_name": "CookieBot CMP",
"data_collected": [
"consent preferences"
]
}Raw Data
{
"expiry": "0 days",
"secure": true,
"vendor": "Cloudflare",
"purpose": "necessary",
"http_only": true,
"same_site": "None",
"cookie_name": "__cf_bm",
"cookie_domain": "clerk.kokkeloren.no",
"is_long_lived": false,
"is_third_party": false
}Raw Data
{
"expiry": "0 days",
"secure": true,
"vendor": "Cloudflare",
"purpose": "necessary",
"http_only": true,
"same_site": "None",
"cookie_name": "__cf_bm",
"cookie_domain": "hubspot.com",
"is_long_lived": false,
"is_third_party": true
}Detail
2 request(s) to consent.cookiebot.com (Cookie consent management platform).
Remediation
No action needed - this is expected behavior for CookieBot to operate correctly.
Raw Data
{
"domain": "consent.cookiebot.com",
"vendor": "CookieBot (Usercentrics)",
"purpose": "Cookie consent management platform",
"sample_urls": [
"https://consent.cookiebot.com/uc.js?cbid=722d4d5b-d6d6-4159-8ee4-e23e6a44b532&implementation=gtm&consentmode-dataredaction=dynamic",
"https://consent.cookiebot.com/722d4d5b-d6d6-4159-8ee4-e23e6a44b532/cc.js?renew=false&referer=kokkeloren.no&dnt=false&init=false"
],
"pii_detected": [],
"request_count": 2,
"resource_types": [
"script"
]
}Detail
Cookie consent banner powered by Custom consent banner (Custom) is present on the page.
Remediation
Review your custom consent banner implementation to ensure it properly integrates with CookieBot's blocking mechanisms and includes all required elements (reject option, granular choices, clear information).
Legal Reference
GDPR Art. 7 & EDPB Guidelines 05/2020
Raw Data
{
"cmp": "Custom consent banner",
"vendor": "Custom"
}Detail
4 request(s) to tr.snapchat.com (unknown) — PII detected: e in POST body.
Remediation
Remove Snapchat Pixel tracking code or ensure it only loads after explicit consent for marketing cookies. Implement event tracking that doesn't send PII.
Legal Reference
GDPR Art. 6, Art. 7
Raw Data
{
"domain": "tr.snapchat.com",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://tr.snapchat.com/config/no/1d31ab17-414f-451d-8894-ae8da4c42eca.json?v=3.54.2-2603162155",
"https://tr.snapchat.com/cm/i?pid=1d31ab17-414f-451d-8894-ae8da4c42eca&u_scsid=a419a06a-5130-4784-9f73-3f7de69cd49f&u_sclid=61b891c5-f688-4a59-a1a0-05cc4c0f6881",
"https://tr.snapchat.com/p",
"https://tr.snapchat.com/p"
],
"pii_detected": [
"e in POST body"
],
"request_count": 4,
"resource_types": [
"fetch",
"ping",
"document"
]
}Detail
1 request(s) to track-eu1.hubspot.com (unknown) — PII detected: ln (URL parameter).
Remediation
Configure HubSpot to only activate tracking after consent. Review what data is being sent and implement privacy-friendly tracking configurations.
Legal Reference
GDPR Art. 6, ePrivacy Directive Art. 5(3)
Raw Data
{
"domain": "track-eu1.hubspot.com",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://track-eu1.hubspot.com/__ptq.gif?k=1&sd=1920x1080&cd=24-bit&cs=UTF-8&ln=nb-no&v=1.1&a=139580736&pu=https%3A%2F%2Fkokkeloren.no%2F&t=Matkasse+fra+Kokkel%C3%B8ren&cts=1773755468036&vi=e5ba4d7c15f"
],
"pii_detected": [
"ln (URL parameter)"
],
"request_count": 1,
"resource_types": [
"image"
]
}Detail
Third-party cookie from sc-static.net, expires: 0 days, purpose: Unrecognized cookie.
Remediation
Identify the source of this cookie and its purpose. Remove if unnecessary or ensure proper consent management.
Legal Reference
ePrivacy Directive Art. 5(3)
Raw Data
{
"expiry": "0 days",
"secure": true,
"vendor": "unknown",
"purpose": "unknown",
"http_only": false,
"same_site": "None",
"cookie_name": "X-AB",
"cookie_domain": "sc-static.net",
"is_long_lived": false,
"is_third_party": true
}Detail
First-party cookie from kokkeloren.no, expires: 1 years, purpose: Snapchat conversion tracking cookie.. Vendor: Snap Inc..
Remediation
Ensure Snapchat cookies only set after explicit marketing consent. Consider shorter cookie lifetimes or privacy-friendly alternatives.
Legal Reference
ePrivacy Directive Art. 5(3), GDPR Art. 7
Raw Data
{
"expiry": "1 years",
"secure": false,
"vendor": "Snap Inc.",
"purpose": "marketing",
"http_only": false,
"same_site": "Lax",
"cookie_name": "_scid",
"cookie_domain": "kokkeloren.no",
"is_long_lived": true,
"is_third_party": false
}Detail
First-party cookie from kokkeloren.no, expires: 1 years, purpose: Snapchat conversion tracking cookie (restricted).. Vendor: Snap Inc..
Remediation
Ensure Snapchat cookies only set after explicit marketing consent. Implement proper cookie consent management.
Legal Reference
ePrivacy Directive Art. 5(3), GDPR Art. 7
Raw Data
{
"expiry": "1 years",
"secure": false,
"vendor": "Snap Inc.",
"purpose": "marketing",
"http_only": false,
"same_site": "Lax",
"cookie_name": "_scid_r",
"cookie_domain": "kokkeloren.no",
"is_long_lived": true,
"is_third_party": false
}Raw Data
{
"expiry": "session",
"secure": true,
"vendor": "unknown",
"purpose": "unknown",
"http_only": true,
"same_site": "None",
"cookie_name": "_cfuvid",
"cookie_domain": "hubspot.com",
"is_long_lived": false,
"is_third_party": true
}Detail
First-party cookie from kokkeloren.no, expires: 5 months, purpose: HubSpot visitor tracking cookie.. Vendor: HubSpot.
Remediation
Ensure HubSpot analytics only activates after consent. Consider shorter retention periods or privacy-friendly analytics like Plausible or Fathom.
Legal Reference
ePrivacy Directive Art. 5(3)
Raw Data
{
"expiry": "5 months",
"secure": false,
"vendor": "HubSpot",
"purpose": "analytics",
"http_only": false,
"same_site": "Lax",
"cookie_name": "__hstc",
"cookie_domain": "kokkeloren.no",
"is_long_lived": false,
"is_third_party": false
}Detail
First-party cookie from kokkeloren.no, expires: 5 months, purpose: HubSpot user token for visitor identification.. Vendor: HubSpot.
Remediation
Configure HubSpot to only track after consent or switch to privacy-friendly analytics that don't create persistent user IDs.
Legal Reference
ePrivacy Directive Art. 5(3)
Raw Data
{
"expiry": "5 months",
"secure": false,
"vendor": "HubSpot",
"purpose": "analytics",
"http_only": false,
"same_site": "Lax",
"cookie_name": "hubspotutk",
"cookie_domain": "kokkeloren.no",
"is_long_lived": false,
"is_third_party": false
}Detail
First-party cookie from kokkeloren.no, expires: session, purpose: HubSpot session reset detection.. Vendor: HubSpot.
Remediation
Ensure HubSpot session tracking only activates after analytics consent.
Legal Reference
ePrivacy Directive Art. 5(3)
Raw Data
{
"expiry": "session",
"secure": false,
"vendor": "HubSpot",
"purpose": "analytics",
"http_only": false,
"same_site": "Lax",
"cookie_name": "__hssrc",
"cookie_domain": "kokkeloren.no",
"is_long_lived": false,
"is_third_party": false
}Detail
First-party cookie from kokkeloren.no, expires: 0 days, purpose: HubSpot session tracking.. Vendor: HubSpot.
Remediation
Configure HubSpot session tracking to respect visitor consent preferences.
Legal Reference
ePrivacy Directive Art. 5(3)
Raw Data
{
"expiry": "0 days",
"secure": false,
"vendor": "HubSpot",
"purpose": "analytics",
"http_only": false,
"same_site": "Lax",
"cookie_name": "__hssc",
"cookie_domain": "kokkeloren.no",
"is_long_lived": false,
"is_third_party": false
}Raw Data
{
"expiry": "1 years",
"secure": true,
"vendor": "unknown",
"purpose": "unknown",
"http_only": true,
"same_site": "Lax",
"cookie_name": "__client",
"cookie_domain": "clerk.kokkeloren.no",
"is_long_lived": true,
"is_third_party": false
}Raw Data
{
"expiry": "1 years",
"secure": true,
"vendor": "unknown",
"purpose": "unknown",
"http_only": false,
"same_site": "Lax",
"cookie_name": "__client_uat",
"cookie_domain": "kokkeloren.no",
"is_long_lived": true,
"is_third_party": false
}Raw Data
{
"expiry": "1 years",
"secure": true,
"vendor": "unknown",
"purpose": "unknown",
"http_only": false,
"same_site": "Lax",
"cookie_name": "__client_uat_rj7vSR9-",
"cookie_domain": "kokkeloren.no",
"is_long_lived": true,
"is_third_party": false
}Detail
First-party cookie from clerk.kokkeloren.no, expires: session, purpose: Unrecognized cookie.
Remediation
Verify the purpose of Clerk authentication cookies and ensure they are properly documented.
Raw Data
{
"expiry": "session",
"secure": true,
"vendor": "unknown",
"purpose": "unknown",
"http_only": true,
"same_site": "None",
"cookie_name": "_cfuvid",
"cookie_domain": "clerk.kokkeloren.no",
"is_long_lived": false,
"is_third_party": false
}Detail
First-party cookie from kokkeloren.no, expires: 6 days, purpose: Unrecognized cookie.
Remediation
Identify the source and purpose of this cookie. Remove if unnecessary or ensure proper consent.
Legal Reference
ePrivacy Directive Art. 5(3)
Raw Data
{
"expiry": "6 days",
"secure": false,
"vendor": "unknown",
"purpose": "unknown",
"http_only": false,
"same_site": "Lax",
"cookie_name": "_ScCbts",
"cookie_domain": "kokkeloren.no",
"is_long_lived": false,
"is_third_party": false
}Detail
4 request(s) to policy.app.cookieinformation.com (unknown).
Remediation
No action required - this is expected behavior for consent management systems.
Raw Data
{
"domain": "policy.app.cookieinformation.com",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://policy.app.cookieinformation.com/uc.js",
"https://policy.app.cookieinformation.com/cookie-data/kokkeloren.no/cabl.json",
"https://policy.app.cookieinformation.com/cookiesharingiframe.html",
"https://policy.app.cookieinformation.com/latest/66273/en.js"
],
"pii_detected": [],
"request_count": 4,
"resource_types": [
"script",
"xhr",
"document"
]
}Detail
2 request(s) to consentcdn.cookiebot.com (unknown).
Remediation
Verify why both Cookie Information and Cookiebot resources are loading. Remove unused consent management systems.
Raw Data
{
"domain": "consentcdn.cookiebot.com",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://consentcdn.cookiebot.com/sdk/bc-v4.min.html",
"https://consentcdn.cookiebot.com/consentconfig/722d4d5b-d6d6-4159-8ee4-e23e6a44b532/settings.json"
],
"pii_detected": [],
"request_count": 2,
"resource_types": [
"xhr",
"document"
]
}Detail
1 request(s) to js-eu1.hs-scripts.com (unknown).
Remediation
Good practice - continue using EU-hosted HubSpot scripts. Ensure tracking respects consent.
Raw Data
{
"domain": "js-eu1.hs-scripts.com",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://js-eu1.hs-scripts.com/139580736.js"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"script"
]
}Detail
2 request(s) to kokkeloren-snack-runner.kokkeloren.workers.dev (unknown).
Remediation
No action required for privacy - this appears to be your own service infrastructure.
Raw Data
{
"domain": "kokkeloren-snack-runner.kokkeloren.workers.dev",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://kokkeloren-snack-runner.kokkeloren.workers.dev/user/subscription",
"https://kokkeloren-snack-runner.kokkeloren.workers.dev/user/subscription"
],
"pii_detected": [],
"request_count": 2,
"resource_types": [
"fetch"
]
}Detail
1 request(s) to js-eu1.hs-banner.com (unknown).
Remediation
Ensure HubSpot banners only load after appropriate consent for marketing.
Raw Data
{
"domain": "js-eu1.hs-banner.com",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://js-eu1.hs-banner.com/v2/139580736/banner.js"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"script"
]
}Detail
1 request(s) to js-eu1.hs-analytics.net (unknown).
Remediation
Continue using EU-hosted analytics. Ensure tracking respects visitor consent preferences.
Raw Data
{
"domain": "js-eu1.hs-analytics.net",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://js-eu1.hs-analytics.net/analytics/1773749100000/139580736.js"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"script"
]
}Detail
1 request(s) to tr6.snapchat.com (unknown).
Remediation
Review Snapchat Pixel implementation to minimize tracking requests and ensure consent compliance.
Legal Reference
GDPR Art. 7
Raw Data
{
"domain": "tr6.snapchat.com",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://tr6.snapchat.com/p"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"ping"
]
}Detail
Found Google Ads (via GTM) reference in GTM container GTM-N8S3TGCP. This tracker may fire based on container triggers.
Remediation
If you're not actively running Google Ads campaigns, remove this tracker entirely from Google Tag Manager. If you are running ads, ensure it only fires after explicit consent and consider first-party alternatives like server-side conversion tracking.
Legal Reference
GDPR Art. 6, ePrivacy Directive Art. 5(3)
Raw Data
{
"via": "raw_js_scan",
"container_id": "GTM-N8S3TGCP",
"detected_pattern": "googleadservices\\.com"
}Detail
Found DoubleClick (via GTM) reference in GTM container GTM-N8S3TGCP. This tracker may fire based on container triggers.
Remediation
Remove DoubleClick tracking unless essential for your business. If needed for ad measurement, implement consent-based loading and consider Google's Enhanced Conversions as a privacy-friendly alternative that uses hashed first-party data.
Legal Reference
GDPR Art. 6, CNIL v. Google (2022)
Raw Data
{
"via": "raw_js_scan",
"container_id": "GTM-N8S3TGCP",
"detected_pattern": "doubleclick\\.net"
}Detail
1 request(s) to pagead2.googlesyndication.com (Display advertising network).
Remediation
Configure your consent management system to block these requests until visitors explicitly consent to advertising cookies. The 'npa=1' parameter suggests non-personalized ads, but this still requires consent under EU law.
Legal Reference
ePrivacy Directive Art. 5(3), Planet49
Raw Data
{
"domain": "pagead2.googlesyndication.com",
"vendor": "Google",
"purpose": "Display advertising network",
"sample_urls": [
"https://pagead2.googlesyndication.com/ccm/collect?frm=0&ae=g&en=page_view&dl=https%3A%2F%2Fkokkeloren.no%2F&scrsrc=sgtm.kokkeloren.no&rnd=503953232.1773755469&navt=n&npa=1&us_privacy=1---&ep.ads_data_"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"fetch"
]
}Detail
1 request(s) to o463742.ingest.us.sentry.io (Error monitoring and performance tracking) — PII detected: name in POST body.
Remediation
Immediately configure Sentry to exclude PII from error reports or switch to an EU-hosted alternative like self-hosted Sentry or GlitchTip. If keeping Sentry, implement data masking and obtain explicit consent.
Legal Reference
GDPR Art. 5(1)(a), Schrems II
Raw Data
{
"domain": "o463742.ingest.us.sentry.io",
"vendor": "Sentry",
"purpose": "Error monitoring and performance tracking",
"sample_urls": [
"https://o463742.ingest.us.sentry.io/api/4508449385807872/envelope/?sentry_version=7&sentry_key=6324798c673cf01315a26377634bb817&sentry_client=sentry.javascript.nextjs%2F9.10.0"
],
"pii_detected": [
"name in POST body"
],
"request_count": 1,
"resource_types": [
"fetch"
]
}Detail
Found Google Tag Manager (Google) loading from https://www.googletagmanager.com/gtm.js?id=GTM-N8S3TGCP>g_health=1. Purpose: Tag management system that can load any tracking script.
Remediation
Audit all tags in GTM container GTM-N8S3TGCP to identify what's actually tracking visitors. Replace with server-side tag management or privacy-focused alternatives like Matomo Tag Manager.
Legal Reference
GDPR Art. 25, Schrems II
Raw Data
{
"vendor": "Google",
"purpose": "Tag management system that can load any tracking script",
"category": "analytics",
"script_src": "https://www.googletagmanager.com/gtm.js?id=GTM-N8S3TGCP>g_health=1",
"gdpr_concern": "Container may include any number of tracking tags, often without the site owner's full awareness.",
"tracker_name": "Google Tag Manager",
"data_collected": [
"depends on configured tags"
]
}Detail
Found AT Internet/Piano Analytics (AT Internet (Piano)) in inline JavaScript.
Remediation
Ensure Piano Analytics only loads after explicit consent, configure it for EU data processing, or replace with privacy-friendly analytics like Plausible or Fathom that don't require consent.
Legal Reference
GDPR Art. 6, ePrivacy Directive Art. 5(3)
Raw Data
{
"vendor": "AT Internet (Piano)",
"category": "analytics",
"tracker_id": "",
"tracker_name": "AT Internet/Piano Analytics",
"pattern_matched": "xiti|atinternet|piano\\.io/xiti",
"detection_method": "inline_pattern"
}Raw Data
{
"container_id": "GTM-N8S3TGCP"
}Detail
1 request(s) to www.googletagmanager.com (Tag management system that can load any tracking script).
Remediation
This is part of the Google Tag Manager system - address through the GTM audit and consent implementation mentioned above.
Legal Reference
Schrems II
Raw Data
{
"domain": "www.googletagmanager.com",
"vendor": "Google",
"purpose": "Tag management system that can load any tracking script",
"sample_urls": [
"https://www.googletagmanager.com/gtm.js?id=GTM-N8S3TGCP>g_health=1"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"script"
]
}Detail
Found Microsoft Clarity (via GTM) reference in GTM container GTM-N8S3TGCP. This tracker may fire based on container triggers.
Remediation
Remove Microsoft Clarity from your Google Tag Manager container or configure it to only load after explicit visitor consent. Consider privacy-friendly alternatives like self-hosted analytics (Matomo) or simple analytics (Plausible, Fathom) that don't record individual sessions. If you keep Clarity, ensure it only activates after users explicitly consent to session recording.
Legal Reference
GDPR Art. 6 (lawful basis required), GDPR Art. 13 (visitors must be informed), ePrivacy Directive Art. 5(3) (consent required for tracking)
Raw Data
{
"via": "raw_js_scan",
"container_id": "GTM-N8S3TGCP",
"detected_pattern": "clarity\\.ms"
}Detail
Found Snapchat Pixel (Snap Inc.) loading from https://sc-static.net/scevent.min.js. Purpose: Conversion tracking for Snapchat ads.
Remediation
Remove the Snapchat Pixel script or implement server-side conversion tracking that doesn't share visitor data with Snapchat. Alternatively, use first-party analytics to measure campaign effectiveness without third-party tracking.
Legal Reference
GDPR Art. 6 (lawful basis), Art. 44-49 (international transfers), ePrivacy Directive Art. 5(3)
Raw Data
{
"vendor": "Snap Inc.",
"purpose": "Conversion tracking for Snapchat ads",
"category": "advertising",
"script_src": "https://sc-static.net/scevent.min.js",
"gdpr_concern": "US data transfer for ad tracking.",
"tracker_name": "Snapchat Pixel",
"data_collected": [
"conversions",
"page views"
]
}Detail
1 request(s) to sc-static.net (Conversion tracking for Snapchat ads).
Remediation
Block the sc-static.net requests by removing Snapchat tracking code. If conversion tracking is needed, use Google Analytics Enhanced Ecommerce or server-side conversion APIs that don't expose visitor data to ad platforms.
Legal Reference
GDPR Art. 6 (lawful basis), Art. 44-49 (international transfers), ePrivacy Directive Art. 5(3)
Raw Data
{
"domain": "sc-static.net",
"vendor": "Snap Inc.",
"purpose": "Conversion tracking for Snapchat ads",
"sample_urls": [
"https://sc-static.net/scevent.min.js"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"script"
]
}Detail
Tests which fonts are installed by measuring text rendering differences. Attributed to: https://kokkeloren.no/_next/static/chunks/2d1400c4-80e8491da2619b0b.js
Remediation
Remove the font fingerprinting code from your Next.js application. If you need font-related functionality, use CSS font-display properties or web fonts that don't require measuring installed system fonts. Review your JavaScript bundles to ensure no fingerprinting libraries are included.
Legal Reference
ePrivacy Directive Art. 5(3)
Raw Data
{
"technique": "font",
"match_count": 2,
"source_script": "https://kokkeloren.no/_next/static/chunks/2d1400c4-80e8491da2619b0b.js",
"patterns_matched": [
"measureText\\s*\\(.*?\\).*?width",
"fontFamily.*?(?:serif|sans-serif|monospace).*?fontFamily"
]
}