GDPR · Schrems II · AI Act §50 · ePrivacy · CCPA
GDPR + Schrems II + AI Act §50 compliance checker
Five regulatory layers in one scan. GDPR (consent flows, tracker disclosure, AI-read privacy policy quality), Schrems II / SCCs (US subprocessor detection + SCC cross-check), AI Act §50 AI-content disclosure (in force 2 August 2026), the ePrivacy Directive (cookie law), and CCPA / CPRA opt-out. The auditor that actually tracks the EU regulatory clock.
No credit card required · Results in under 2 minutes
What the scan checks
Cookie consent and tracker detection
- ✓Analytics and advertising scripts loading before user consent
- ✓Missing consent management platform (CookieBot, OneTrust, CookieYes, etc.)
- ✓Excessive tracking services creating consent complexity
- ✓Consent banner not blocking third-party scripts
Privacy policy quality (AI-powered)
- ✓Policy exists and is publicly linked from every page
- ✓All detected tracking services are disclosed
- ✓GDPR data subject rights mentioned (access, erasure, portability, rectification, objection)
- ✓Data controller contact or DPO named
- ✓Data retention periods specified
- ✓Legal basis for processing stated (consent, legitimate interest, etc.)
Required legal pages
- ✓Terms of Service / Terms & Conditions page
- ✓Dedicated Cookie Policy (separate from privacy policy)
- ✓Imprint / legal notice (required for EU/DE companies)
- ✓Visible contact email (GDPR Art. 13 — controller identity)
CCPA compliance signals
- ✓"Do Not Sell My Personal Information" link in site footer
- ✓Data sharing with advertising networks disclosed
- ✓California-specific opt-out mechanism present
AI-powered
We actually read your privacy policy
Most compliance scanners check whether a privacy policy URL exists. Seoxpert sends the policy text to AI and evaluates whether it covers the trackers you actually run, lists GDPR data subject rights, names a controller contact, and states the legal basis for processing.
Does the policy mention every tracking service in use?
Are all 6 GDPR user rights explicitly covered?
Is the policy written in plain language or dense legalese?
Which regulations apply to your site
Compliance requirements depend on where your visitors are — not just where you're registered.
GDPRGeneral Data Protection Regulation (EU)
Applies to
Any site that collects data from EU/EEA residents — regardless of where the company is based.
Fine range
Up to €20M or 4% of global annual revenue, whichever is higher.
Key requirements
- ·Lawful basis for every category of data processing
- ·Transparent privacy notice (who, what, why, how long, rights)
- ·Prior consent for non-essential cookies and tracking scripts
CCPA / CPRACalifornia Consumer Privacy Act (USA)
Applies to
For-profit businesses meeting any of: $25M+ revenue, 100k+ consumers' records, or 50%+ revenue from selling data.
Fine range
$2,500 per unintentional violation · $7,500 per intentional violation.
Key requirements
- ·"Do Not Sell or Share My Personal Information" opt-out right
- ·Right to know what data is collected and sold
- ·Right to delete personal data
ePrivacy DirectiveEU Cookie Law (ePrivacy Directive)
Applies to
All websites using cookies or tracking technologies that target EU users.
Fine range
Varies by member state — UK ICO fines up to £500K; France CNIL fines up to €150K for cookie violations.
Key requirements
- ·Informed, specific, freely-given consent before setting non-essential cookies
- ·Granular consent categories (analytics, marketing, functional)
- ·Equal prominence for "reject" and "accept" options
Schrems II / SCCsCJEU C-311/18 (Data Protection Commissioner v Facebook Ireland)
Applies to
Any EU controller transferring personal data to a third country without a Commission adequacy decision — covers most US-based subprocessors (Google Analytics, Stripe, OpenAI, Sentry, HubSpot, Salesforce).
Fine range
Enforcement via GDPR — €20M / 4% global revenue. Plus injunctions: in 2022, the Austrian DPA ordered the operator of NetDoktor.at to stop using Google Analytics; similar orders in DE, FR, IT.
Key requirements
- ·Standard Contractual Clauses (SCCs) module 2021/914 signed with every US subprocessor
- ·Transfer Impact Assessment (TIA) per subprocessor showing equivalence
- ·Supplementary measures where TIA finds gaps (encryption, pseudonymisation, contractual)
AI Act §50Regulation (EU) 2024/1689 Article 50 (Transparency obligations for AI systems)
Applies to
In force from 2 August 2026. Operators offering AI-content services to EU users — regardless of where the business is established — must disclose AI-generated output in machine-readable form.
Fine range
Up to €15M or 3% of global annual turnover (Article 99), whichever is higher.
Key requirements
- ·Visible disclosure on AI-generated text, image, audio, video content
- ·Machine-readable markup (Schema.org CreativeWork.isAIGenerated or equivalent)
- ·AI-assistant output (chatbots) must identify itself as AI when interacting with users
Scan your site for GDPR gaps now
Free scan — consent flows, privacy policy quality, legal pages, and CCPA signals checked in one pass.