Methodology
How the Privacy Audit playbook works — criteria, scoring, and the AI-native workflow that produces each report.
What it measures
Each audit evaluates a site against seven GDPR and ePrivacy criteria. The scanner runs a headless Firefox browser in EU locale and executes three independent variants — ignore, accept, reject — to capture network activity, cookies, fingerprinting calls, and consent flow behaviour in isolated browser contexts.
The 7 criteria
Consent
Presence, quality, and legality of the consent banner. Checks for TCF compliance, Google Consent Mode v2, binary-only consent (no granular purposes), cookie walls, GPC signal support, and banner text clarity.
Pre-Consent Tracking
Network requests, cookies, and fingerprinting that fire before any user interaction. Under ePrivacy Art. 5(3) and EDPB 2023 guidelines, this is illegal regardless of whether cookies are used.
Legal Pages
Presence and quality of Privacy Policy, Cookie Policy, and Terms. Checks GDPR Art. 13/14 disclosure requirements — controller identity, data purposes, retention periods, third-party recipients, and DSAR exercise paths.
Cross-Border
Data transfers to third countries. Identifies tracker jurisdictions, adequacy decisions, and whether appropriate safeguards (SCCs, BCRs) are disclosed.
Security Headers
HTTP security headers present on the site. Checks for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
Cookie Management
Cookie hygiene — how many are set pre-consent, whether consent revocation works, whether cookies are actually removed after withdrawal, and classification accuracy.
Dark Patterns
UI asymmetry in the consent flow — e.g. 'Accept All' prominently placed vs. 'Reject' buried in submenus, misleading labels, pre-ticked boxes, and visual deception.
Scoring scale
| Range | Rating | Meaning |
|---|---|---|
| 8.5–10.0 | Exemplary | Strong compliance, no critical findings |
| 7.0–8.4 | Good | Good, minor issues only |
| 5.5–6.9 | Acceptable | Moderate — notable gaps |
| 4.0–5.4 | Poor | Significant violations |
| 2.0–3.9 | Very Poor | Multiple critical failures |
| 1.0–1.9 | Failing | Non-compliant |
The scanning pipeline
Each audit runs through a six-stage pipeline. The 3-variant scan is the core differentiator — by comparing ignore, accept, and reject scenarios in isolated browser contexts, the scanner detects pre-consent violations, consent-gated tracking, and revocation failures that single-pass tools miss.
Quick 10-second page load with headless Firefox. Captures a viewport screenshot and detects the CMP platform — OneTrust, Cookiebot, Didomi, or custom banners via CSS pattern matching.
Claude reads the scout screenshot and identifies button labels — "Accept All", "Reject", "Save Preferences" — providing text hints the scanner can't detect from DOM alone.
Three fresh browser contexts run in parallel. Each records all network requests, cookies, localStorage, and fingerprinting API calls (Canvas, WebGL, AudioContext).
No interaction with the consent banner
Clicks "Accept All", waits 8s
Clicks "Reject", checks cookie removal
Claude interprets the raw scanner output against GDPR articles and EDPB enforcement precedents. Scores 7 criteria, writes TL;DR findings, generates recommendations with legal citations.
A local script converts the analysis JSON into the HTML presentation deck, Markdown report, and structured database row — all from a single source of truth.
Deck, analysis JSON, and report are uploaded to Supabase Storage. The scan row is upserted and goes live without a redeploy.
Limitations
- —Scans are point-in-time snapshots. Sites change frequently — a passing score today may not hold next month.
- —The scanner uses Firefox in EU locale. Behaviour may differ for other browsers, regions, or logged-in sessions.
- —Consent revocation testing requires a live interaction — some sites may use session-based state that the scanner can't fully replicate.
- —AI analysis is probabilistic. Legal conclusions should be verified against current EDPB guidance and national DPA decisions.
- —Vision-assisted banner detection may misidentify buttons on heavily customised consent UIs.