Hello, and thank you for your legitimate question about one of our websites. Before answering you need to know that the Complianz GDPR/CCPA plugin works with geo-Ip. That means the plugin dynamically uses the cookielaws and DPA opinions from the region the actual visitor of a website comes from. So if the visitor comes from the UK (https://complianz.io/brexit-and-gdpr-the-new-ico-guidance-pecr/) consent is always asked for statistical and tracking cookies; In the Netherlands and France however first party analytics and anonymous statistical cookies are allowed without asking for consent; but according to the German DPA anonymous first party cookies from Google Analytics are always forbidden unless you ask for consent from the German visitor (https://complianz.io/google-analytics/). Our plugin changes the banner, the legal documents and the cookies it blocks based on where the visitors come from. This is a unique feature. For visitors from the United States we show an opt-out banner and place all the cookies at once, in Canada we use the pipeda rules (https://complianz.io/canada-casl-and-pipeda/) and In India there is no regulation specifically governing the use of cookies, so a visitor from that region would not see our cookiebanner at all.
Basically you are asking us why online testers sometimes come to the wrong conclusions. There can be many reasons for that. To name a few:
1) Online testers do not work region based. They only use one set of rules, so there is no room for (legal) exceptions.
2) Online testers sometimes have their servers based in regions such as India, so that influences the results when testing a website and plugin like ours that uses Geo-IP.
The cookies your scan found are from Google analytics and hotjar. Both services are configured (by using the DPA guidelines) in a way that the data collected is considered to be anonymous.
Thank you once again for your question, and I hope you will give our plugin a try.