Violation & Fingerprinting Detection
Identifies pre-consent trackers, covert fingerprinting techniques and storage abuse — the exact patterns regulators flag, captured at the network layer.
ComplianceMonitor.io scans any URL and flags every cookie, tracker and third-party request that fires before the visitor gives consent.
Paste any URL. We'll load it in a real browser and report every cookie, tracker and third-party request that fires before consent.
A cookie banner is the visible 5%. The other 95% is what your visitors' browsers actually do before they get a choice.
Identifies pre-consent trackers, covert fingerprinting techniques and storage abuse — the exact patterns regulators flag, captured at the network layer.
Tracks compliance over time. Get alerted the moment a new tag, vendor or marketing tool quietly breaks what was already approved.
Audits the same URL against GDPR, ePrivacy, CCPA, LGPD and Greek Law 4624/2019 — each framework, each region, in one report.
Every finding ships with timestamped network proof. Pull it via the Evidence API into your DPO workflow, legal hold system or audit log.
Four references that sit behind every scan: the deceptive UX patterns we flag, the trackers we recognise, the regulations we audit against, and the vocabulary your team needs to talk about all of it.
Websites often employ psychological tricks to force users into decisions they didn't intend to make. ComplianceMonitor.io detects these deceptive design patterns during every scan.
A website makes the 'Accept All' button visually dominant — bright color, larger size — while the 'Reject All' or 'Settings' button is minimized, greyed out, or disguised as plain text. This tricks users into accepting tracking because they assume it's the only primary action.
Using deceptive layouts, hiding options, or manipulating the user's focus away from privacy-preserving choices.
Ensure both 'Accept' and 'Reject' buttons have equal visual weight, size, and contrast. Neither choice should be visually prioritized over the other.
The option to decline non-essential cookies is buried in secondary layers or menus. Users are forced to click 'Settings', navigate through multiple screens, and uncheck boxes manually, whereas accepting takes just one click on the first layer.
Using deceptive layouts, hiding options, or manipulating the user's focus away from privacy-preserving choices.
Provide a clear 'Reject All' button on the first layer of the consent banner, right next to the 'Accept All' button.
A cookie wall is a strict barrier that prevents users from accessing any part of a website unless they consent to the use of cookies and trackers. This violates the principle that consent must be freely given.
Using deceptive layouts, hiding options, or manipulating the user's focus away from privacy-preserving choices.
Allow users to consume the basic content of the website even if they refuse non-essential cookies. Do not gate content behind mandatory tracking.
When a user opens the cookie 'Settings' panel, categories for marketing or analytics are already checked by default. Under GDPR, silence or inactivity does not constitute consent; it requires a positive, opt-in action.
Using deceptive layouts, hiding options, or manipulating the user's focus away from privacy-preserving choices.
All non-essential cookie categories must be unchecked by default. Users must actively select them to give valid consent.
Which scripts do the websites you visit load? How do these tools process your data? Explore the web's most popular trackers and their privacy implications.
_ga
The most widely used tool for tracking user behaviour and website traffic.
Analytics
While primarily statistical, IP addresses must be anonymised and explicit consent is required under GDPR before the script loads.
Collects statistical data on how visitors interact with the website. It tracks session duration, pages visited, bounce rate, and user acquisition channels.
Google Analytics uses first-party cookies (like _ga) to distinguish unique users. It can share data with Google Signals for cross-device tracking if enabled by the site owner.
_fbp
Used by the Meta ecosystem to target ads and measure campaign performance across the web.
Advertising
Meta aggregates this data to profile users across thousands of websites. It strongly requires explicit user opt-in before execution.
Tracks conversions from Facebook ads, optimises ad delivery, builds targeted audiences, and retargets users who have previously interacted with a website.
The _fbp cookie identifies users for advertising purposes across the web. It sends events (like AddToCart or PageView) directly to Meta's servers.
_hjSessionUser
Provides analytics through screen recordings and click heatmaps for UX analysis.
Session recording
If not configured correctly, session recorders can capture Highly Sensitive Personal Information (PII) directly from the screen.
Records mouse movements, clicks, scrolling activity, and keystrokes to help site owners understand user behaviour visually.
Hotjar sets cookies like _hjSessionUser to persist session data. It is crucial to suppress keystrokes in password or credit card fields.
OptanonConsent
A platform used by domains to manage cookie banners and user consent preferences.
Consent management
Low direct risk. However, if implemented improperly, it may signal compliance while background trackers still fire (Pre-Consent Tracking).
Displays cookie banners, collects user consent preferences, and blocks other scripts until consent is given.
Sets cookies like OptanonConsent and OptanonAlertBoxClosed to remember user choices across sessions.
Global privacy laws can be complex. We break down exactly what each framework expects from your website and explain user rights in plain language.
The toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organisations anywhere, so long as they target or collect data related to people in the EU. Non-compliance can result in fines up to €20 million or 4% of global revenue.
After Brexit, the UK retained the GDPR by incorporating it into domestic law as the 'UK GDPR', supplemented by the Data Protection Act 2018. It is enforced by the Information Commissioner's Office (ICO) and maintains broadly similar requirements to the EU GDPR, with some UK-specific adjustments for adequacy decisions and international transfers.
An evolution of the CCPA, the CPRA introduced the California Privacy Protection Agency (CPPA) as a dedicated enforcement body and expanded consumer rights. Unlike GDPR's opt-in model, the CPRA uses opt-out mechanics but places strict requirements around the sale and sharing of personal information.
South Korea's strict data protection regime, considered one of the most rigorous in Asia. Enforced by the Personal Information Protection Commission (PIPC), it requires explicit and granular consent for data collection and imposes heavy penalties for violations.
Confused by the jargon in data protection laws and tech discussions? Use our glossary to understand complex privacy terminology in plain language.
Three steps. No accounts, no SDK, no JavaScript on your site. Just paste a URL and let a fresh Chromium session do what regulators do: visit you cold and watch what fires.
Any page on the public web. We never ask for credentials, analytics access or a tag on your site.
Fresh Chromium session, EU IP, no prior consent stored. Every request, cookie and storage write is captured at the network layer.
A scored report with concrete violations, the regulation each one breaks, and timestamped evidence ready for your DPO or legal team.
Anonymized scans of widely used services. Industry, not brand — but every number is real, captured at the network layer.
Most websites pass a glance and fail a scan. Tag managers fire on page-load, analytics phone home before the banner paints, and pixels drop cookies the moment the visitor arrives. Regulators look at the network — and so do we.
Yes. No card, no account, no trial. Run as many scans as you like. We may rate-limit very heavy use from a single IP to keep the service fair.
Reports are kept for 30 days so you can re-open the same link, then permanently deleted. We don't publish or index them anywhere.
No. ComplianceMonitor.io is a technical scanner. It tells you what your site does. Whether that breaks the law in your jurisdiction is a question for your DPO or lawyer — and our reports are designed to be the evidence they need.
Today we only support publicly reachable URLs. Authenticated scanning is on the roadmap — get in touch if you have a real use case.
Almost always, yes. Blocking trackers before consent removes dozens of third-party requests from the critical path — most clients see Largest Contentful Paint drop by 200–600ms.
No setup required. Paste a URL, hit scan, and see exactly what tracking fires before your visitors give consent.