| Leak identified | Severity | Est. monthly impact | Fix required |
|---|---|---|---|
Tags fire after Reject All — 4 URLs Vendors firing despite Reject All: GA4. This breaches GDPR/PECR and is incompatible with Consent Mode v2 'denied'… | High | −£15.0k/mo | Add consent-aware GTM triggers (Consent Mode v2 'ad_storage' /… |
PII (phone) sent to GA4 (31 occurrences) Detected phone in params ['_p', 'cid', 'gtm', 'sid', 'uafvl'] of https://region1.google-analytics.com/g/collect?… | High | −£10.0k/mo | Hash, redact, or remove PII before sending. |
2 render-blocking resources delay FCP by 403ms The top offenders: /styles.css (202ms); /css (201ms). Every ms saved here shows up in FCP and usually LCP too. | High | −£4.8k/mo | Move non-critical CSS to preload + onload flip, or inline critical CSS for… |
Duplicate GA4 install (5 occurrences) Found 3 instances of GA4 on the same page; may double-count events. | High | −£4.8k/mo | Audit GTM containers + hard-coded snippets and keep a single GA4 install. |
https://www.srverror.com/styles.css blocks render on 86% of pages — 65823ms aggregate wasted Seen on 86/100 audited mobile pages. | High | −£4.8k/mo | This single file blocks render across most of the site. |
2 render-blocking resources delay FCP by 1560ms The top offenders: /styles.css (780ms); /css (780ms). Every ms saved here shows up in FCP and usually LCP too. | High | −£3.6k/mo | Move non-critical CSS to preload + onload flip, or inline critical CSS for… |
3941KB unused JavaScript from www.googletagmanager.com across 12 URLs Top files: /gtag.js/js (65KB / 41%); /assets/en/lipscore-v1.js (62KB / 76%); /gtm.js (60KB / 43%)… | High | −£2.9k/mo | Tree-shake or code-split these bundles. |
Google Tag Manager costs 343ms blocking + 621ms main-thread on desktop Rank #1 by blocking time on this page. Google Tag Manager transfers 299 KB and keeps the main thread busy for 621ms… | Critical | −£2.8k/mo | GTM's own weight usually means a lot of tags. |
Sized against this site's £241,196/mo revenue baseline pulled from your GA4 property over the trailing 30 days. Each finding is sized using one of three frameworks, and given an honest confidence flag — hover over any £ figure to see the math for that specific leak.
Confidence flags: High — bounded by data we have (measured ms→CVR curves, known revenue events). Medium — directionally right; magnitude has assumptions. Low — qualitative or hard to size; surfaced as Blind spot rather than a token figure.
Numbers are estimates, not contracts — they exist to help prioritise sprint work. Where a specific leak is fixed and re-measured, we update the model with actuals.
The most urgent problem for Vampire Vape is that tags are firing after users select "Reject All" on the consent banner, which represents a serious compliance risk under UK GDPR and PECR and is almost certainly the primary driver of the site's score of zero. Across the 25 URLs audited, this single issue accounts for the overwhelming majority of the 54 high-severity findings, meaning that tracking is systematically ignoring users' consent choices at scale. This exposes the business to potential regulatory scrutiny from the ICO and could undermine user trust if it came to light publicly. Separately, a duplicate GA4 installation was also identified, which, once the consent issue is resolved, will need to be addressed to prevent inflated session counts and skewed analytics data. Fixing the consent signal integration with the tag management setup should be treated as an immediate priority before any further data collection takes place.
Vampire Vape's GA4 property (354471494) is broadly healthy with a trust score of 86, recording 22,444 purchases and £710,750 in revenue during the audit window — but two issues threaten the reliability of that data. Seventeen product and category URLs are returning zero page_view events, creating blind spots across key SKUs and brand pages that will distort attribution and merchandising decisions. A 61% spike in session_start events also signals a likely tagging regression that could be inflating session counts and skewing all downstream channel and conversion metrics.
Vampire Vape's mobile performance is sitting in the danger zone — scores as low as 50 on key pages — putting organic rankings and paid landing page Quality Scores at measurable risk; the single biggest revenue-adjacent issue is a third-party stylesheet (srverror.com/styles.css) blocking render on 86% of pages and wasting over 65 seconds of aggregate load time across the site, meaning shoppers on mobile are staring at blank screens before they can browse or convert. Two root causes — unoptimised Google Tag Manager tag firing and render-blocking CSS and font resources — are suppressing scores that could realistically reach the low-to-mid 90s with targeted fixes, directly improving ad efficiency and SEO visibility.
Rank #1 by blocking time on this page. Google Tag Manager transfers 299 KB and keeps the main thread busy for 621ms, delaying INP and TBT. It fires BEFORE consent according to the tracking audit — so it's degrading experience for users who reject cookies too.
Fix: GTM's own weight usually means a lot of tags. Run GTM Preview and look for tags firing on every page that could be scoped to specific events or URLs.
Rank #1 by blocking time on this page. Google Tag Manager transfers 299 KB and keeps the main thread busy for 414ms, delaying INP and TBT. It fires BEFORE consent according to the tracking audit — so it's degrading experience for users who reject cookies too.
Fix: GTM's own weight usually means a lot of tags. Run GTM Preview and look for tags firing on every page that could be scoped to specific events or URLs.
Rank #2 by blocking time on this page. Cookiebot transfers 141 KB and keeps the main thread busy for 189ms, delaying INP and TBT. It fires BEFORE consent according to the tracking audit — so it's degrading experience for users who reject cookies too.
Fix: Load Cookiebot with `async defer`, push it as late as safely possible, and if it's tag-manager-loaded, add a consent trigger. If it's not strictly needed for functionality, lazy-load on first interaction.
Vendors firing despite Reject All: GA4. This breaches GDPR/PECR and is incompatible with Consent Mode v2 'denied' signals.
Fix: Add consent-aware GTM triggers (Consent Mode v2 'ad_storage' / 'analytics_storage' = denied) and verify tags wait for an Update signal before firing.
Detected phone in params ['_p', 'cid', 'gtm', 'sid', 'uafvl'] of https://region1.google-analytics.com/g/collect?…
Fix: Hash, redact, or remove PII before sending. Use Enhanced Conversions / CAPI with hashed values where required.
The top offenders: /styles.css (202ms); /css (201ms). Every ms saved here shows up in FCP and usually LCP too.
Fix: Move non-critical CSS to preload + onload flip, or inline critical CSS for above-the-fold. For scripts, add `defer` (or `async` for independent scripts). If the file is first-party + required, consider HTTP/2 push or bundle it into the initial chunk.
Found 3 instances of GA4 on the same page; may double-count events.
Fix: Audit GTM containers + hard-coded snippets and keep a single GA4 install.
Seen on 86/100 audited mobile pages.
Fix: This single file blocks render across most of the site. Defer it (add `defer`), preload it, or inline its critical portion. Biggest sitewide win per line-of-change you'll find.
The top offenders: /styles.css (780ms); /css (780ms). Every ms saved here shows up in FCP and usually LCP too.
Fix: Move non-critical CSS to preload + onload flip, or inline critical CSS for above-the-fold. For scripts, add `defer` (or `async` for independent scripts). If the file is first-party + required, consider HTTP/2 push or bundle it into the initial chunk.
Top files: /gtag.js/js (65KB / 41%); /assets/en/lipscore-v1.js (62KB / 76%); /gtm.js (60KB / 43%); /f1ba143c-1f4b-4949-a465-e709abdeeb5e/cc.js (25KB / 24%); /uc.js (22KB / 64%). Every KB of JS costs network time + parse time + compile time. Unused code is pure waste.
Fix: Tree-shake or code-split these bundles. For third-party, check whether you can import subsets (e.g. lodash → lodash-es per-method). For first-party, consider dynamic imports on the routes that actually need them.
The top offenders: /styles.css (201ms); /css (201ms). Every ms saved here shows up in FCP and usually LCP too.
Fix: Move non-critical CSS to preload + onload flip, or inline critical CSS for above-the-fold. For scripts, add `defer` (or `async` for independent scripts). If the file is first-party + required, consider HTTP/2 push or bundle it into the initial chunk.
LCP element snippet: `[LAZY_LOADED|NO_FETCHPRIORITY] <img width="1920" height="1080" style="aspect-ratio: auto 1920 / 1080" src="https://www.vampirevape.co.uk/media/.renditions/wysiwyg/hyva-theme-placeho…… alt="Double points on all Vampire Vape e-liquid`
Fix: The LCP element is an image — the single most impactful fix is usually preloading it and serving it in AVIF/WebP at the exact display size.
+ 129 more findings — see the detailed dashboards.