Does a clean scan mean my site is GDPR compliant?

No — compliance also covers contracts (DPAs), data residency, retention policies, and DSR handling, which a URL scan can't see. This tool catches the most common public-facing failures: missing banners, missing policies, and trackers that fire pre-consent. It's the first 30%, not the whole picture.

I have a consent banner but you didn't detect it. Why?

We fingerprint the major CMPs (Cookiebot, OneTrust, CookieYes, Termly, iubenda, Osano, Quantcast) and the common cookie-consent scripts. Custom-built banners can slip through. Email the URL and we'll add the fingerprint — it makes the tool more useful for the next operator too.

We use Google Tag Manager — is GTM itself a problem?

GTM is the loader, not the tag — but the tags it deploys (GA4, Google Ads, Meta Pixel) almost always require consent. Wire GTM to your CMP using Consent Mode v2 so non-essential tags don't fire pre-consent. If they fire anyway, you have the same problem with or without GTM in the middle.

What changed in EU enforcement recently?

Dutch AP, Belgian APD, French CNIL, and Italian Garante are all issuing fines for analytics that fire pre-consent or for missing Article 13 disclosures. The bar moved in the last two years; an audit from 2022 is not enough.

Free tool · 1 min

GDPR & Cookie Risico-scanner

Voer een URL in. We detecteren 20+ gangbare trackers, de grote consent-platforms, ontbrekend privacy- en cookiebeleid, en markeren waar EU-toezichthouders op letten.

What we actually check

We fetch the page HTML once (no headless browser, no follow-on requests) and look for fingerprints of 20+ commonly-deployed trackers, the major consent management platforms, and links to your privacy, cookie, and terms pages. Trackers that require consent under GDPR are separated from essential ones like Stripe.js or privacy-friendly analytics such as Plausible.

Why a banner alone isn't enough

A common failure mode: install a banner but fire Google Analytics and Meta Pixel anyway on page load. That violates Article 6 because consent must be obtained before processing. Use Google Consent Mode v2 (or your CMP's equivalent) to actually gate the tags. The Dutch AP, CNIL, and Garante have all issued fines on exactly this failure in the last two years.

The honest limit of a public scan

A URL scan sees what an unauthenticated visitor sees. It cannot see your DPA stack, your data residency, your retention policies, or your DSR workflow. The iSystem platform supports compliance posture — but the operator still has obligations only a human can satisfy. We are explicit about that distinction.

FAQ

Frequently asked questions

Does a clean scan mean my site is GDPR compliant?
No — compliance also covers contracts (DPAs), data residency, retention policies, and DSR handling, which a URL scan can't see. This tool catches the most common public-facing failures: missing banners, missing policies, and trackers that fire pre-consent. It's the first 30%, not the whole picture.
I have a consent banner but you didn't detect it. Why?
We fingerprint the major CMPs (Cookiebot, OneTrust, CookieYes, Termly, iubenda, Osano, Quantcast) and the common cookie-consent scripts. Custom-built banners can slip through. Email the URL and we'll add the fingerprint — it makes the tool more useful for the next operator too.
We use Google Tag Manager — is GTM itself a problem?
GTM is the loader, not the tag — but the tags it deploys (GA4, Google Ads, Meta Pixel) almost always require consent. Wire GTM to your CMP using Consent Mode v2 so non-essential tags don't fire pre-consent. If they fire anyway, you have the same problem with or without GTM in the middle.
What changed in EU enforcement recently?
Dutch AP, Belgian APD, French CNIL, and Italian Garante are all issuing fines for analytics that fire pre-consent or for missing Article 13 disclosures. The bar moved in the last two years; an audit from 2022 is not enough.

Tools we recommend

Hand-picked partners

These are partner links. We may earn a commission if you sign up — it doesn't cost you anything extra, and we only list tools we use in production.