Free Website Compliance Assessment

Find your compliance gaps
before a regulator does.

Five forensic tests on your website — pre-consent, post-accept, post-reject, GPC signal, and internal routes — documented with SHA-256 evidence hashing. Cookie compliance, consent dark patterns, privacy policy gaps, and multi-jurisdiction exposure. Your consent platform says you're compliant. We produce the proof.

GDPR UK GDPR + PECR CCPA / CPRA ePrivacy LGPD DPDP (India) PIPEDA Quebec Law 25 GPC (12 US States)

What Makes Cairn Different

Not a CMP vendor. Not a cookie scanner. An independent forensic auditor.

1

Independent Auditor

We audit OneTrust, Cookiebot, CookieYes, and every other consent platform. No CMP vendor will build this tool — because it exposes failures in their own product.

2

Forensic Evidence

Every finding is backed by SHA-256 hashed screenshots, a timestamped action log, and reproducible browser evidence — the format regulators cite in enforcement actions.

3

Jurisdiction-Aware

The same website gets different grades under GDPR vs CCPA. We detect applicable jurisdictions automatically and score against each one — including GPC testing across 12 US states.

Sample Full Report Preview
1 / 10
In March 2026, 25 European data protection authorities launched a coordinated enforcement action on transparency obligations (GDPR Articles 12–14). Cairn tests exactly what they're investigating: privacy policy disclosure elements, cookie policy completeness, consent mechanism functionality, and data recipient transparency.

Scan Your Website

Select the jurisdiction where your company is based. Cairn automatically detects additional applicable jurisdictions from your privacy policy, domain, and legal documents.

Results in under 3 minutes. Five-pass scan: pre-consent state, accept path, reject path, GPC signal test, and internal page discovery.

0%
Initializing assessment
Cookie Compliance Grade
Privacy Setup Grade
Total Cookies
Pre-Consent Non-Essential
Data Recipients
View Compliance Summary Report →

What We Scan For

16 automated checks across cookie compliance and privacy infrastructure.

Cookie & Tracker Assessment

Pre-Consent Cookies

Cookies that fire before any user interaction — the #1 GDPR enforcement trigger.

The #1 reason EU regulators issue fines.

Reject-Path Testing

What happens when a user clicks Reject All? Fresh browser context, isolated from the accept path. SHA-256 evidence hashing at each step.

CNIL fined Google EUR 150M for this exact violation.

Third-Party Trackers

Every pixel, script, and beacon sending your visitor data to external companies — before and after consent.

Each undisclosed transfer requires a Data Processing Agreement.

Data Flow Mapping

Which organizations receive your visitors' data — Google, Meta, HubSpot, and more — mapped to each transfer.

GDPR Article 13 requires you to disclose every recipient.

Visual Evidence

Timestamped screenshots at each consent phase — the documented proof regulators look for in enforcement proceedings.

The evidence format the ICO and CNIL cite in enforcement actions.

Cookie Classification

Every cookie identified by vendor, category, purpose, and data recipient — with unknowns flagged for review.

Unclassified cookies are regulatory unknowns — fix them first.

GPC Signal Testing

Does your site honor the Global Privacy Control opt-out signal? We send GPC headers and measure what changes.

CPPA fined Todd Snyder $350K for ignoring GPC signals.

Dark Pattern Detection

Measured CSS evidence of visual prominence asymmetry, click count asymmetry, pre-checked toggles, and hidden reject options.

EDPB Guidelines 3/2022 made dark patterns an enforcement priority.

Privacy Setup Checks

Legal Page Detection

Privacy policy, terms of service, cookie policy, and accessibility statement — verified across common URL paths.

Missing pages are the first thing a regulator checks.

Footer & Navigation Links

Whether required legal pages are linked from the footer of every page, not buried or missing.

A page that exists but isn't linked is legally invisible.

CCPA Opt-Out Link

"Do Not Sell or Share" link detection — required if you share visitor data with advertising platforms.

California AG actively enforces missing opt-out links.

Consent Withdrawal

A persistent cookie preferences link so users can change their consent after the initial banner disappears.

GDPR Art. 7(3): withdrawal must be as easy as giving consent.

Form Consent Mechanisms

Forms collecting email addresses checked for consent checkboxes, pre-checked dark patterns, and privacy links.

Pre-checked boxes are invalid consent under CJEU Planet49.

Policy Adequacy Scan

Analyzes your privacy policy against 13 required GDPR disclosure elements with sub-element analysis.

Missing any of the 13 elements violates GDPR Art. 13.

Multi-Jurisdiction Detection

Automatic identification of all applicable jurisdictions from your domain, privacy policy, hreflang tags, and legal documents.

A UK company with EU visitors faces 3+ jurisdictions.

Company Domicile Inference

Determines your primary legal obligation from governing law clauses, corporate entity suffixes, and physical address patterns.

Your domicile determines which regulator has primary authority.

Assessment Tiers & Pricing

The free scan gives you your compliance grade and headline findings. Paid tiers go deeper.

One-Time Scan Annual Plan Save up to 27%
Compliance Diagnostic
$750
One-time assessment
  • Dual compliance scoring (Cookie + Privacy Setup) out of 100
  • GPC signal compliance test with PASS/PARTIAL/FAIL verdict
  • Company domicile detection and anchor standard determination
  • Jurisdiction-specific assessment with enforcement citations
  • Complete cookie & tracker inventory with classification
  • Legal document adequacy review (element-by-element)
  • Cookie policy cross-reference (disclosed vs undisclosed)
  • Consent dark pattern analysis with measured evidence
  • Forensic action log (timestamped audit trail)
  • Multi-jurisdiction regulatory exposure comparison
Get Full Diagnostic
Most Popular
Diagnostic + Remediation Plan
$2,000
One-time assessment + remediation plan
  • Everything in the $750 Diagnostic
  • Prioritized remediation plan with complexity tiers and timelines
  • Per-finding enforcement precedent citations
  • Phased implementation roadmap (3-phase action plan)
  • Jurisdiction-specific remediation guidance
  • CMP configuration recommendations
Get Diagnostic + Remediation
Full Assessment + Consultation
$3,000
One-time assessment + consultation
  • Everything in the $2,000 plan
  • 60-minute strategic consultation call
  • Custom-prioritized roadmap based on your business context
  • Multi-jurisdiction deep-dive with exposure matrix
  • Written summary memo for board or legal team
Get Full Assessment

Why re-scan quarterly? Websites change constantly — new analytics tags, CMP drift, privacy policy updates, new regulations. A quarterly re-scan catches regressions before a regulator does.

Frequently Asked Questions

How is Cairn different from OneTrust, Cookiebot and CookieYes?

OneTrust, Cookiebot and CookieYes are Consent Management Platforms — they implement the consent banner. Cairn is an independent auditor — we test whether their implementation actually works. We open a fresh browser, click Reject All, and document every cookie that persists. No CMP vendor will build this tool because it exposes failures in their own product. Beyond consent testing, Cairn analyzes dark patterns with measured CSS evidence, checks your privacy policy against 13 GDPR-required disclosure elements, tests GPC signal compliance, and provides jurisdiction-specific scoring across 7 regulatory frameworks.

What jurisdictions do you cover?

GDPR (EU), UK GDPR + PECR, CCPA/CPRA (US), LGPD (Brazil), DPDP Act (India), PIPEDA (Canada), and Quebec Law 25. Cairn automatically detects which jurisdictions apply based on your privacy policy content, domain signals, hreflang tags, and company location. GPC signal compliance is tested against the legal requirements of 12 US states.

Is this safe to run on my website?

Yes. The scan uses a standard headless browser — the same technology Google uses to index your site. It sends normal HTTP requests, clicks your consent banner, and observes the response. It does not modify your site, inject code, or access any authenticated areas.

Who sees my scan results?

Only you. Your report is delivered to the email address you provide and stored on our servers for 90 days, then automatically deleted. We do not publish, share, or sell scan results. Full details in our Privacy Policy.

What happens after I scan?

You get an instant summary report with your compliance grade, cookie breakdown, reject-path test result, and privacy setup findings. If you want the full report — complete cookie inventory, visual evidence, dark pattern analysis, policy adequacy review, and phased remediation roadmap — you can schedule a free 15-minute review call.

Can I use this report in a regulatory proceeding?

The report includes SHA-256 hashed screenshots, a timestamped forensic action log, and per-cookie penalty transparency — the evidence format regulators reference in enforcement actions. It is designed to be shared with legal counsel or attached to a regulatory filing. However, it is a technical assessment, not legal advice.

What's the difference between the free scan and paid tiers?

The free scan gives you both compliance grades and headline findings. The $750 Diagnostic adds the complete technical evidence. The $2,000 plan adds a step-by-step remediation roadmap. The $3,000 plan adds a strategic consultation. All paid tiers are available as annual plans with quarterly re-scans at up to 27% off.

This tool provides automated compliance assessment. It does not constitute legal advice.

Privacy Policy  ·  Terms of Service  ·  Cookie Policy  ·  Accessibility

Cookie Preferences  ·  Do Not Sell or Share My Personal Information

© 2026 Novium Labs LLC. All rights reserved.

Scoring methodology, assessment framework, and report templates are proprietary to Novium Labs LLC.

Scan Now →