Is Your Website GDPR and
CCPA Compliant?
We scan your site for trackers loading before consent, missing privacy disclosures, non-compliant cookie banners, and CCPA opt-out failures. The same scan also checks security vulnerabilities, ADA accessibility, and legal pages — one URL, everything covered.
No account needed for your first scan.
What the GDPR & CCPA Checker Audits
Cookie consent audit
Detects trackers loading before the user accepts your consent banner — the most commonly cited GDPR violation.
Privacy Policy quality
Checks that your policy exists, is linked in the footer, and covers data collected, third parties, retention, and user rights.
Third-party tracker detection
Identifies every analytics, advertising, and social media script on your pages — and whether they fire before consent.
Form consent language
Checks for pre-ticked marketing opt-in checkboxes and vague consent language that fails GDPR's "freely given, specific, informed" requirement.
CCPA opt-out link
Verifies the presence of a "Do Not Sell or Share My Personal Information" link for CCPA-covered businesses.
Security headers
Checks HTTP security headers including Content-Security-Policy and HSTS — required for GDPR's data security obligation.
Why GDPR and CCPA Compliance Is Non-Negotiable
GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) are the two most consequential privacy laws affecting websites today. GDPR fines have reached billions of euros — Meta paid €1.2 billion in 2023 alone. CCPA enforcement by the California AG has resulted in settlements against companies of all sizes, including a $1.2M settlement against Sephora in 2022.
Both laws impose similar obligations at a high level: tell users what data you collect, get their consent before collecting it for non-essential purposes, and give them a way to opt out or delete their data. The technical requirements differ significantly, which is why compliance requires checking both.
The Most Common GDPR Violations on Websites
The single most common GDPR violation is firing analytics or advertising scripts before the user has consented via a cookie banner. Google Analytics, the Meta Pixel, and LinkedIn Insight Tag all collect personal data (IP addresses, device fingerprints, behavioral data) the moment they load. If these scripts fire before the user clicks "Accept," you are processing personal data without a lawful basis — a clear GDPR violation.
Other common failures: consent banners that have no real "Reject" option (presenting only "Accept" and "Manage Preferences"), Privacy Policies that don't name all third-party processors, and forms with pre-ticked marketing consent checkboxes.
GDPR vs. CCPA: Key Differences
GDPR is opt-in: you need prior consent before processing personal data for non-essential purposes. CCPA is opt-out: users can tell you to stop selling or sharing their data, but you can do so by default. This means being GDPR-compliant doesn't automatically make you CCPA-compliant, and vice versa — your site needs to satisfy both if you have EU and California users.
GDPR & CCPA FAQ
Does GDPR apply to US-based websites?▼
Yes. If you have any visitors from the EU, GDPR applies to you regardless of where your business is located. The law is triggered by processing data of EU residents. Any US website with Google Analytics and EU traffic is processing personal data subject to GDPR.
What does a GDPR compliance check look for?▼
ComplixAI checks for: third-party trackers loading before cookie consent is obtained, presence and completeness of a Privacy Policy, cookie consent banner implementation (including whether it has a real reject option), form consent language, and pre-checked marketing opt-in boxes.
What is the CCPA and who does it apply to?▼
The California Consumer Privacy Act applies to for-profit businesses that: have annual revenue over $25M, buy/sell data from 100,000+ consumers per year, or derive 50%+ of revenue from selling data. The 2023 CPRA amendment strengthened these requirements and created the California Privacy Protection Agency to enforce them.
Do I need a cookie consent banner?▼
Under GDPR, yes — you need prior consent before setting non-essential cookies. A banner that loads analytics before the user clicks "Accept" is non-compliant. Under CCPA/CPRA, you need a "Do Not Sell or Share My Personal Information" link if you sell or share data with ad networks. These are different requirements.
What are the GDPR fines for websites?▼
Tier 2 violations (processing without consent, ignoring data subject rights) carry fines up to €20M or 4% of global annual turnover. The Irish DPC fined Meta €1.2 billion in 2023. German and French regulators have fined mid-size companies €50K–€250K for basic failures like firing analytics without consent.
Check Your Privacy Compliance Free
Find out exactly which privacy violations your site has — and get specific fixes for each one.