The scanner · methodology

We check 153 things that regulators, lawyers and users expect from your website.

Spread across 7 compliance areas. Run automatically in ±60 seconds. One page free, whole site from £2.50.

Start a free check See a sample report →

Why this matters

€2.1bn
GDPR fines in 2024
European data protection authorities issued over €2.1 billion in GDPR fines in 2024 alone. SMEs are increasingly in scope.
£800–1500
Per image
Image rights firms like Pixsy and Permission Machine send tens of thousands of demand letters per year. Settlements up to £1,500 per photo.
£500,000
PECR fine ceiling
The ICO can issue PECR penalties up to £500,000 for serious breaches (e.g. unlawful marketing emails or unconsented cookies). UK GDPR fines go far higher: 4% of global turnover or £17.5m.
< 1 hour
Typical fix
A single issue can cost more than years of prevention. Most fixes in our report take under an hour to implement.

The 7 areas, in detail.

What we check, specifically
Origin detection via reverse image search (TinEye index, ±50M images)
Match against known stock libraries (Getty, Shutterstock, Adobe Stock)
EXIF & metadata analysis for licence indicators
Detection of AI-generated images (Stable Diffusion, Midjourney signatures)
CDPA 1988 s.16
CDPA 1988 s.97
Enterprise Act 2016 s.13
Sample finding
High
Potentially unlicensed Getty Images photo found on /about-us.
The risk if you ignore this
Demand letters from Pixsy, Permission Machine or specialist solicitors. Settlements £800–£1,500 per image, higher in commercial use. Section 97 of the Copyright, Designs and Patents Act 1988 allows additional damages where infringement is flagrant.
What we check, specifically
Cookie banner: pre-consent detection (scripts firing before "Accept")
Privacy notice: presence + 13 mandatory items under UK GDPR Art. 13
Processor register: third-party scripts identified and mapped
International transfers: detection of US/non-adequate endpoints (post-Schrems II)
Data subject rights: contact route for SARs/erasure requests in place
UK GDPR Art. 6, 13, 28
DPA 2018 s.137
PECR reg. 6
Sample finding
Critical
Google Analytics loads before cookie consent.
The risk if you ignore this
ICO fines can reach £17.5m or 4% of global turnover under UK GDPR. For SMEs the more common exposure is PECR fines up to £500,000 (e.g. cookies dropped before consent) plus reputational damage.
What we check, specifically
Alt text on meaningful images (WCAG 1.1.1)
Colour contrast: text at least 4.5:1, large text 3:1 (WCAG 1.4.3)
Keyboard navigation: tab order, visible focus states
Form fields: labels, error messages, screen-reader compatibility
Video & audio: captions, transcripts (WCAG 1.2.x)
PDF accessibility: tagged structure, reading order (Premium only)
Equality Act 2010 s.20–21
PSBAR 2018
WCAG 2.2 AA
EHRC guidance
Sample finding
High
12 images without alt text (WCAG 1.1.1).
The risk if you ignore this
Under the Equality Act 2010, failing to make 'reasonable adjustments' for disabled users is unlawful discrimination. Claims are heard in the County Court — typical settlements £3,000–£25,000 per claim plus costs. Public sector bodies face additional duties under PSBAR 2018.
What we check, specifically
TLS configuration: certificate validity, cipher suites, protocol versions
HTTP security headers: CSP, HSTS, X-Frame-Options, Referrer-Policy
Known vulnerabilities: jQuery, WordPress, plugins (CVE database matching)
Mixed content: HTTP resources on HTTPS pages
Subresource Integrity (SRI) on external scripts
UK GDPR Art. 32
NCSC Cyber Essentials
ICO security guidance
Sample finding
High
Content-Security-Policy header missing.
The risk if you ignore this
No direct fine, but UK GDPR Art. 32 requires "appropriate technical measures". A data breach caused by a known vulnerability is an aggravating factor — recent ICO decisions cite outdated CMS plugins as a key reason for uplift.
What we check, specifically
Company name & number: visible per Companies (Trading Disclosures) Regulations 2008
Registered office address: present in footer or contact page
VAT number: visible where the trader is VAT-registered
Terms & Conditions: present, downloadable, incorporated at point of contract
Contact route: email or form, not just a premium-rate number
Companies Act 2006 s.82
Companies (Trading Disclosures) Regs 2008
CPUTR 2008
Sample finding
Medium
Company number missing from website footer (Companies Regs 2008).
The risk if you ignore this
Trading Standards / CMA enforcement under the Consumer Protection from Unfair Trading Regulations 2008 — fines up to £5,000 per offence on summary conviction, unlimited on indictment. Companies House can also impose a £200 penalty per non-compliant breach.
What we check, specifically
Double opt-in: confirmation email on sign-up
Unsubscribe link: present and functional in every email
Consent records: timestamp, IP, form text retained
Specific checkbox for marketing — not pre-ticked (Planet49 ruling)
Send from your own domain (SPF/DKIM aligned)
PECR reg. 22
UK GDPR Art. 7
ICO direct marketing guidance
Sample finding
Medium
Newsletter form without double opt-in.
The risk if you ignore this
ICO PECR fines up to £500,000 for unlawful direct marketing. The 'soft opt-in' for existing customers only applies if the recipient was given a clear opt-out at the point of sale and in every message. Class actions for spam can target individual directors.
What we check, specifically
Order button text: clearly indicates obligation to pay (Consumer Contracts Regs 2013 reg. 14)
Cancellation form: 14-day cooling-off model available, instructions in checkout
Price presentation: total price incl. VAT and delivery shown before order (CRA 2015)
Delivery time: stated concretely (no vague terms like "fast")
Statutory vs commercial guarantees: clearly distinguished (CRA 2015)
Consumer Contracts Regs 2013
Consumer Rights Act 2015
CPUTR 2008
Sample finding
High
Order button does not clearly state "obligation to pay" (CCR 2013 reg. 14).
The risk if you ignore this
If the order button does not make the payment obligation clear, the consumer is not bound by the contract (Consumer Contracts Regs 2013 reg. 14(5)). Plus Trading Standards action up to £5,000 per offence under CPUTR 2008.

Methodology

How we run it — without the black box.

See our open-source work on GitHub →

01

Research into applicable rules

We track UK + EU-wide legislation (UK GDPR, Equality Act 2010, PECR, Consumer Rights Act) and the national updates as they happen. When the ICO tightens a rule or publishes new enforcement guidance, our checklist is updated.

02

Automated validation

Every testable rule gets a deterministic check: a real browser loads the page (Playwright/Chrome), we read DOM, headers, requests and TLS configuration. No "AI magic" where code can give an honest answer.

03

AI for more complex checks

For rules that aren't a simple checkbox — completeness of a privacy notice, dark patterns in a checkout, tone of consent copy — we use a combination of the latest local and cloud models, tuned for this purpose. Used in a targeted way and always traceable back to the source rule.

Want to know where your site stands?

One page free. No registration. Results in 60 seconds — with concrete next steps.

Start a free check →

We check 153 things that regulators, lawyers and users expect from your website.

The 7 areas, in detail.

Image copyright

Accessibility

Security

Legal pages

E-Commerce

How we run it — without the black box.

Research into applicable rules

Automated validation

AI for more complex checks

Want to know where your site stands?

We check 153 things that regulators, lawyers and users expect from your website.

The 7 areas, in detail.

Image copyright

UK GDPR & Privacy

Accessibility

Security

Legal pages

Newsletter

E-Commerce

How we run it — without the black box.

Research into applicable rules

Automated validation

AI for more complex checks

Want to know where your site stands?