The scanner · methodology

We check 153 things that the DPC, CCPC and your users expect from your website.

Spread across 7 compliance areas. Run automatically in ±60 seconds. One page free, whole site from €2.50.

Start a free check See a sample report →

Why this matters

€2.1bn
GDPR fines in 2024
European data protection authorities issued over €2.1 billion in fines in 2024. The Irish DPC leads on cross-border tech enforcement.
€800–1500
Per image
Copyright agencies like Pixsy and Permission Machine send tens of thousands of demand letters per year. Settlements up to €1,500 per photo.
€60,000
CCPC fine ceiling
The Consumer Protection Act 2007 lets the CCPC seek fines of up to €60,000 on indictment per breach. Repeated breaches can trigger compliance notices and injunctions.
< 1 hour
Typical fix
A single issue can cost more than years of prevention. Most fixes in our report take under an hour to implement.

The 7 areas, in detail.

What we check, specifically
Origin detection via reverse image search (TinEye index, ±50M images)
Match against known stock libraries (Getty, Shutterstock, Adobe Stock)
EXIF & metadata analysis for licence indicators
Detection of AI-generated images (Stable Diffusion, Midjourney signatures)
CRRA 2000 s.37
CRRA 2000 s.128
EU InfoSoc Directive 2001/29/EC
Sample finding
High
Potentially unlicensed Getty Images photo found on /about-us.
The risk if you ignore this
Demand letters from Pixsy, Permission Machine or solicitors specialising in copyright. Settlements €800–€1,500 per image, higher in commercial use. The Copyright and Related Rights Act 2000 provides for additional damages where infringement is flagrant.
What we check, specifically
Cookie banner: pre-consent detection (scripts firing before "Accept")
Privacy notice: presence + 13 mandatory items under GDPR Art. 13
Processor register: third-party scripts identified and mapped
International transfers: detection of US/non-adequate endpoints (Schrems II)
Data subject rights: contact route for SARs/erasure requests in place
GDPR Art. 6, 13, 28
Data Protection Act 2018 s.141
SI 336/2011 reg. 5
Sample finding
Critical
Google Analytics loads before cookie consent.
The risk if you ignore this
DPC fines can reach €20M or 4% of global turnover under GDPR Art. 83. For SMEs the more common exposure is the DPC’s Cookie Sweep enforcement: SI 336/2011 reg. 5 requires prior consent before non-essential cookies; fines up to €5,000 per breach summarily.
What we check, specifically
Alt text on meaningful images (WCAG 1.1.1)
Colour contrast: text at least 4.5:1, large text 3:1 (WCAG 1.4.3)
Keyboard navigation: tab order, visible focus states
Form fields: labels, error messages, screen-reader compatibility
Video & audio: captions, transcripts (WCAG 1.2.x)
PDF accessibility: tagged structure, reading order (Premium only)
SI 636/2023
EAA Directive 2019/882
WCAG 2.2 AA
EN 301 549
Sample finding
High
12 images without alt text (WCAG 1.1.1).
The risk if you ignore this
The EU (Accessibility Requirements of Products and Services) Regulations 2023 transpose the EAA — enforceable since 28 June 2025. The CCPC and sectoral regulators can impose Class A fines (up to €5,000 on summary conviction; unlimited on indictment) and require remediation.
What we check, specifically
TLS configuration: certificate validity, cipher suites, protocol versions
HTTP security headers: CSP, HSTS, X-Frame-Options, Referrer-Policy
Known vulnerabilities: jQuery, WordPress, plugins (CVE database matching)
Mixed content: HTTP resources on HTTPS pages
Subresource Integrity (SRI) on external scripts
GDPR Art. 32
NIS2 Directive 2022/2555
NCSC-IE guidance
Sample finding
High
Content-Security-Policy header missing.
The risk if you ignore this
No direct fine, but GDPR Art. 32 requires "appropriate technical measures". A breach caused by a known vulnerability is an aggravating factor — recent DPC decisions cite outdated CMS plugins as a key reason for uplift. The NIS2 transposition adds incident-reporting duties for essential entities.
What we check, specifically
Company name & number: visible per Companies Act 2014 s.151
Registered office address: present in footer or contact page
VAT number: visible where the trader is VAT-registered
Terms & Conditions: present, downloadable, incorporated at point of contract
Contact route: email or form, not just a premium-rate number
Companies Act 2014 s.151
Consumer Protection Act 2007
EC (Electronic Commerce) Regs 2003
Sample finding
Medium
Company number missing from website footer (Companies Act 2014 s.151).
The risk if you ignore this
CCPC enforcement under the Consumer Protection Act 2007 — fines up to €5,000 on summary conviction or €60,000 on indictment per breach. The CRO may also impose late-filing penalties and strike-off proceedings.
What we check, specifically
Double opt-in: confirmation email on sign-up
Unsubscribe link: present and functional in every email
Consent records: timestamp, IP, form text retained
Specific checkbox for marketing — not pre-ticked (Planet49 ruling)
Send from your own domain (SPF/DKIM aligned)
SI 336/2011 reg. 13
GDPR Art. 7
DPC direct marketing guidance
Sample finding
Medium
Newsletter form without double opt-in.
The risk if you ignore this
SI 336/2011 reg. 13 prohibits unsolicited B2C marketing without consent. The DPC can prosecute — fines up to €5,000 per email on summary conviction, €50,000 on indictment. ComReg also takes enforcement action.
What we check, specifically
Order button text: clearly indicates obligation to pay (Consumer Rights Act 2022 s.30)
Cancellation form: 14-day cooling-off model available, instructions in checkout
Price presentation: total price incl. VAT and delivery shown before order
Delivery time: stated concretely (no vague terms like "fast")
Statutory vs commercial guarantees: clearly distinguished
SI 484/2013 reg. 14
Consumer Rights Act 2022
Consumer Protection Act 2007
Sample finding
High
Order button does not clearly state "obligation to pay".
The risk if you ignore this
Under the EU (Consumer Information, Cancellation and Other Rights) Regulations 2013 reg. 14, an unclear order button means the consumer is not bound by the contract. Plus CCPC action under the Consumer Protection Act 2007.

Methodology

How we run it — without the black box.

See our open-source work on GitHub →

01

Research into applicable rules

We track EU-wide legislation (GDPR, EAA, ePrivacy) and the Irish overlay (Data Protection Act 2018, SI 336/2011, Consumer Protection Act 2007, Companies Act 2014). When the DPC or CCPC publishes new enforcement guidance, our checklist is updated.

02

Automated validation

Every testable rule gets a deterministic check: a real browser loads the page (Playwright/Chrome), we read DOM, headers, requests and TLS configuration. No "AI magic" where code can give an honest answer.

03

AI for more complex checks

For rules that aren't a simple checkbox — completeness of a privacy notice, dark patterns in a checkout, tone of consent copy — we use a combination of the latest local and cloud models, tuned for this purpose. Used in a targeted way and always traceable back to the source rule.

Want to know where your site stands?

One page free. No registration. Results in 60 seconds — with concrete next steps.

Start a free check →

We check 153 things that the DPC, CCPC and your users expect from your website.

The 7 areas, in detail.

Image copyright

Accessibility

Security

Legal pages

E-Commerce

How we run it — without the black box.

Research into applicable rules

Automated validation

AI for more complex checks

Want to know where your site stands?

We check 153 things that the DPC, CCPC and your users expect from your website.

The 7 areas, in detail.

Image copyright

GDPR & Privacy

Accessibility

Security

Legal pages

Newsletter

E-Commerce

How we run it — without the black box.

Research into applicable rules

Automated validation

AI for more complex checks

Want to know where your site stands?