WeLeadLab Get Free Website
April 9, 2026Updated April 10, 20269 min readby Vladimir Kamenev

Free Website Privacy Scanner — GDPR & Cookie Compliance Check

One-line answer

WeLead Lab's free website privacy scanner runs 18 GDPR and CCPA compliance checks on any public URL in under 30 seconds — detecting cookies, tracking pixels, missing privacy policies, and cookie banner issues. No signup, no installation.

Why privacy compliance matters

Privacy regulations are no longer a "big company problem." Regulators worldwide are actively fining small and medium businesses for the exact violations a free website privacy scanner can catch in seconds.

  • GDPR fines can reach €20 million or 4% of global annual revenue, whichever is higher. In 2024 alone, European regulators issued more than €2.8 billion in GDPR fines — including seven-figure penalties against small e-commerce sites for nothing more than loading Google Analytics before consent.
  • CCPA fines in California start at $2,500 per unintentional violation and $7,500 per intentional violation. "Per violation" typically means per affected user, so a single leaky form can snowball into millions.
  • Private lawsuits are exploding. Plaintiffs' firms in the US now file class-action "wiretap" suits targeting websites that use session-replay tools like Hotjar or FullStory without proper consent. Settlements routinely hit six figures.
  • Customer trust is measurable. Cisco's 2024 Consumer Privacy Survey found 81% of consumers say a company's handling of their data directly affects whether they'll buy — and 37% have already switched providers over privacy concerns.
  • Regulatory pressure is increasing globally. Brazil's LGPD, India's DPDPA, the UK GDPR, Canada's CPPA, Australia's Privacy Act reforms, and at least 19 US state privacy laws are all now in force or coming in 2026. If your site is online, one of them applies to you.

    • The good news: most violations come from basic mistakes — a missing cookie banner, a tracking pixel loaded before consent, a broken "reject all" button. A GDPR compliance checker will surface all of them in a single scan.

    What our free website privacy scanner checks — all 18 tests

    Here's the complete list of checks the free website privacy scanner performs, grouped by category.

    Cookie Security (5 checks)

  • Total cookie count — how many cookies your site sets on first visit, before any consent is given. GDPR requires this to be zero (or only strictly necessary cookies).
  • HttpOnly flag on all cookies — prevents JavaScript from reading session cookies, blocking cookie theft via XSS.
  • Secure flag on all cookies — ensures cookies are only transmitted over HTTPS, never in the clear.
  • SameSite attribute on all cookies — stops CSRF attacks and limits cross-site tracking.
  • No cookies with max-age > 1 year — ePrivacy guidance (EDPB Opinion 5/2019) explicitly flags multi-year cookies as disproportionate for most use cases.

    • Tracking Detection (6 checks)

  • Google Analytics 4 / Universal Analytics — the #1 tool cited in GDPR complaints. Multiple EU DPAs (France, Austria, Italy, Denmark) have ruled default GA usage illegal without additional safeguards.
  • Google Tag Manager — often loaded before consent, pulling in dozens of other trackers.
  • Meta / Facebook Pixel — subject to the Schrems II ruling and the 2024 Noyb complaints.
  • Hotjar and session-replay tools — the #1 target of US wiretap class actions.
  • HubSpot tracking and TikTok Pixel — both set persistent identifier cookies and transfer data outside the EU.
  • Third-party scripts count — every third-party script is a potential data processor you may need to disclose in your privacy policy.

    • Privacy Compliance (4 checks)

  • Privacy policy link present — GDPR Article 13, CCPA §1798.130, and virtually every global privacy law require a conspicuous, working privacy policy link.
  • Cookie consent banner detected — the scanner looks for common banner implementations (Cookiebot, OneTrust, Osano, Usercentrics, native banners).
  • Terms of service link — not strictly a privacy law requirement but expected by most consumer protection frameworks.
  • Contact information — GDPR requires you to disclose a contact point for data subject requests.

    • Data Collection (3 checks)

  • Form actions use HTTPS — collecting personal data over HTTP is a GDPR Article 32 violation by itself.
  • Password fields have secure autocompleteautocomplete="current-password" and autocomplete="new-password" enable password managers and reduce phishing risk.
  • No inline tracking handlersonclick="gtag(...)" and similar inline handlers bypass most consent-management platforms.

    • How to use the free website privacy scanner

  • Paste your URL into the WeLead Lab website analyzer — include https:// and the full domain.
  • Click "Analyze." The GDPR compliance checker runs all 18 privacy checks in 20–30 seconds. It's 100% passive — nothing is attacked, nothing is stored on your server.
  • Read your compliance report. You'll get a prioritized list of every cookie set, every tracker detected, every missing disclosure, and a plain-English fix for each issue.

    • No signup. No email. No credit card. Just a clear picture of your privacy posture.

    GDPR requirements explained

    The EU's General Data Protection Regulation applies to any website that processes personal data of EU residents — regardless of where the business is located. "Personal data" is interpreted broadly: cookies, IP addresses, device fingerprints, and user IDs all count.

    Here's what GDPR actually requires from a website:

  • Consent before setting non-essential cookies. Strictly necessary cookies (session, CSRF, language preference) are allowed. Everything else — analytics, advertising, personalization — requires prior, specific, informed, freely given consent. "By using this site you agree" banners are illegal.
  • A clear, accessible privacy policy. It must disclose what data you collect, why, how long you keep it, who you share it with, the legal basis for processing, and the user's rights. The free website privacy scanner verifies the link exists and is reachable.
  • Right to access, rectify, and delete. Users can request a copy of their data, corrections, or full deletion (the "right to be forgotten"). You must respond within 30 days.
  • Data breach notifications. Breaches affecting personal data must be reported to the regulator within 72 hours.
  • A cookie banner with an equally prominent "reject all" option. This is the single most enforced rule in 2024–2026. France's CNIL alone has fined Google, Facebook, Amazon, and hundreds of smaller sites for making "accept" a one-click choice while "reject" required digging through a settings menu.

    • If your site fails any of these, a GDPR compliance checker will flag it and tell you exactly which check failed.

    CCPA requirements (California)

    The California Consumer Privacy Act — updated by CPRA in 2023 — applies to businesses that meet any one of these thresholds: $25M+ in annual revenue, 100,000+ California consumers, or derive 50%+ of revenue from selling personal data. In practice, most US-facing ecommerce and SaaS sites are covered.

  • A "Do Not Sell or Share My Personal Information" link in the footer, clearly visible on every page. This is non-negotiable if you use advertising cookies or share data with third parties.
  • A privacy policy with CCPA-specific sections: categories of data collected, categories of sources, business purposes, categories of third parties, and consumer rights under California law.
  • An opt-out mechanism that doesn't require account creation. The Global Privacy Control (GPC) signal must be honored automatically — several AGs have already sued businesses that ignored it.
  • No discrimination against users who exercise their rights (you can't block or degrade service for people who opt out).

    • Our free website privacy scanner checks for the "Do Not Sell" link, detects whether your site responds to GPC headers, and confirms your privacy policy is linked from every page.

    Common privacy violations and how to fix them

    These are the issues our GDPR compliance checker finds most often — and how to fix each one.

    1. Loading Google Analytics before consent This is the #1 violation across every scan we run. GA4 sets a _ga cookie and sends a pageview the moment the page loads, long before any banner appears. Fix: install a consent management platform (CMP) and configure Google Tag Manager in "consent mode v2" so analytics only fires after the user accepts. 2. Missing cookie banner If the scanner can't detect a banner, regulators won't either. Install one of the free or paid options listed below and configure it to block non-essential cookies until the user interacts. 3. Missing or outdated privacy policy Use a reputable generator (Termly, iubenda, or Shopify's built-in template) and update it whenever you add a new tracking tool. The free website privacy scanner verifies the link exists but you're responsible for the content accuracy. 4. Setting tracking cookies without consent This is a two-part fix: (a) identify every tracking tool with the scanner, (b) configure your CMP to block each one until the user opts in. Don't rely on "legitimate interest" — EU DPAs have rejected this basis for analytics and advertising. 5. No "reject all" option on the cookie banner If your banner has a big "Accept all" button but hides "Reject all" behind a second click, you're in direct violation of GDPR and French, German, and Italian guidance. Fix: make both buttons equally prominent — same size, same color contrast, same position. This alone has been the basis for dozens of six-figure fines.

    You don't need to build consent management from scratch. A few of the most commonly deployed options:

  • Cookiebot by Usercentrics — fully automated scanner + CMP, generous free tier for small sites.
  • OneTrust — enterprise-grade, used by Fortune 500 companies; expect enterprise pricing.
  • Osano — developer-friendly, strong default GDPR and CCPA templates, free tier available.
  • Iubenda — great bundled privacy policy generator + cookie banner combo.
  • Klaro! — open-source, self-hosted, free forever. Ideal if you're a small site that wants full control.
  • Cookie Script — affordable, simple setup, supports GDPR and CCPA out of the box.

    • Whichever you pick, scan your site with the free website privacy scanner after installation to confirm the CMP is actually blocking what it promises to block. We regularly find CMPs that are installed but misconfigured — trackers still fire on page load because a tag wasn't wired through the consent layer.

    Scan your site now — free, no signup

    The free website privacy scanner at WeLead Lab is the fastest way to find out whether your site is putting you at risk of GDPR, CCPA, or class-action liability. You'll know in 30 seconds whether your cookies, trackers, and privacy disclosures are in order.

    Run your free GDPR compliance checker now →

    No account. No email. No limits. Just answers.

    Frequently Asked Questions

    Is the free website privacy scanner safe to run on my production site? Yes, 100% safe. It's a passive scanner — it only loads your homepage the way a normal browser would, then analyzes the cookies, scripts, and HTML in the response. Nothing is attacked, nothing is stored, and no personal data leaves your site. Does passing this scan mean I'm fully GDPR compliant? No — and no automated tool can guarantee full compliance. The free website privacy scanner catches the most common technical violations (missing banners, untagged trackers, insecure cookies, missing links), but GDPR also requires organizational measures: a documented Record of Processing Activities, a Data Processing Agreement with each vendor, a defined legal basis for each purpose, and a process for handling subject access requests. Use the scanner as your first line of defense, then consult a privacy lawyer for a full audit. What's the difference between GDPR and CCPA? GDPR is the EU's comprehensive privacy regulation applying to any business processing EU residents' data. CCPA (California) is narrower: it focuses on the "sale" and "sharing" of personal information and applies mainly to larger US businesses. GDPR is consent-based ("opt-in"); CCPA is opt-out. Both require a clear privacy policy, and our GDPR compliance checker covers the technical basics of both. Can I scan any website, or only my own? You can scan any publicly reachable website. Because all checks are passive and equivalent to a normal browser visit, no permission is required. We recommend running it on your competitors too — it's a great way to see whether they're setting the trackers they claim to set, and whether their cookie banner is actually blocking anything. How often should I run a privacy scan? At minimum, re-scan every time you install a new marketing tool, add a tracking pixel, or update your CMS. Every new plugin, chat widget, or A/B test tool adds cookies and trackers you may not have disclosed. Monthly scans are a good default for most sites; weekly is better if you're running active marketing campaigns. The WeLead Lab website analyzer is free, so there's no downside to checking often.

    ---

    Ready to find out where you stand? Run the free website privacy scanner →

    VK
    Vladimir Kamenev
    Founder

    25 years in industry

    Want us to build your website free?

    Custom website + 30+ SEO articles/month + AI search optimization. $500/month, no contracts.

    Get Your Free Website →