We believe honest transparency about capabilities and limitations builds more trust than inflated claims. Here is exactly what GDPR Privacy Monitor checks, our confidence levels, and what falls outside our scope.
| Check Category | What We Look For | Confidence |
|---|---|---|
| Pre-consent tracking | Cookies, trackers, and scripts active before user consent interaction | HighHigh (Verified CMP) / Medium (Compatible CMP) |
| Cookie classification | Categorization into necessary, analytics, marketing, functional | HighHigh for 5,000+ known cookies; "unclassified" for unknown cookies |
| CMP detection | Consent banner presence and CMP type identification | HighHigh: CookieYes, Cookiebot. Medium: OneTrust, iubenda, Complianz, Didomi, Quantcast + 15 others |
| Reject flow verification | Whether "Reject" actually stops tracking cookies and third-party requests | HighHigh for Verified CMPs with known reject selectors |
| Banner accessibility | Keyboard navigation, color contrast, touch targets, ARIA labels (WCAG) | HighHigh (browser DOM measurements) |
| Visual prominence | Whether reject is equally prominent as accept (dark pattern detection) | MediumMedium (CSS sampling, may vary by viewport) |
| Cookie wall detection | Whether content is blocked until consent is given | MediumMedium (heuristic-based) |
| Google Consent Mode v2 | Detection and mismatch analysis between declared consent state and observed behavior | HighHigh (runtime interception) |
| Data flow mapping | Third-party data destinations, organizations, and adequacy status | MediumMedium (45% of domains unmapped) |
| External font loading | Google Fonts and other CDN IP leaks before consent (LG München ruling) | HighHigh (URL pattern matching) |
| Mixed content | HTTP resources loaded on HTTPS pages (security of processing) | HighHigh (network request analysis) |
| Insecure cookies | Tracking cookies without Secure flag or appropriate SameSite | HighHigh (cookie attribute inspection) |
| Browser fingerprinting | Pre-consent fingerprinting-sensitive API calls (Canvas, WebGL, fonts) | MediumMedium (compound scoring of intercepted signals) |
| Evidence collection | HAR network log, page screenshots, banner screenshots | HighHigh (100% coverage on successful scans) |
| Preference center analysis | Second-layer category toggles, pre-selected optional categories | HighHigh for Verified CMPs |
| DPA enforcement context | Historical enforcement fines and cases mapped to detected findings | HighHigh (structured enforcement database, 22+ jurisdictions) |
| Limitation | Why | What We Do Instead |
|---|---|---|
| Server-side tracking | Cannot see server-to-server data transfers | We detect client-side indicators and note the limitation in the report |
| Geotargeted banners | We scan from EU (Germany); may miss geo-specific configurations | We note viewport and location in every report for transparency |
| Mobile app consent | We scan websites, not native mobile apps | Mobile viewport scanning available for responsive sites |
| Legal policy quality | We do not assess privacy policy text quality in depth | AI-powered policy gap detection identifies missing disclosures vs runtime behavior |
| Cookie purpose accuracy | Some cookies lack reliable classification in public databases | We label as "unclassified" with honest scoring rather than guessing |
| Dynamic SPA timing | Single-page apps may load consent banners late or asynchronously | We use adaptive waiting strategies and report "could not detect" when uncertain |
| Post-scan changes | Websites change after we scan them | Continuous monitoring catches regressions; each report is timestamped |
| Cross-origin iframe banners | Some CMPs render banners in cross-origin iframes that cannot be inspected | We detect CMP signals and report banner visibility uncertainty |
When we are not confident about a finding, we say so. We will never manufacture false positives to inflate detection numbers. An honest "cannot determine" is more valuable than a confident wrong answer.
Our 0–100 score indicates technical risk, not legal compliance status. A low score means fewer technical risk indicators were found — it does not certify GDPR compliance. Only legal counsel can determine compliance.
We do not sell consent banners, CMP software, or cookie solutions. This means we have no conflict of interest — we can tell you honestly when your CMP is misconfigured, even if it's a popular one.
Every finding is backed by HAR network data and screenshots. You can verify any finding independently using the evidence pack we provide. No black-box scoring — full transparency.
Run a free scan and see exactly what we detect on your website, with full evidence and a transparent risk score breakdown.
Run a free scan