Methodology

How CIPA Risk Scanner Scans Websites

Quick answer

CIPA Risk Scanner inspects a submitted page's HTML for known third-party tracking script patterns and consent banner indicators, groups detected tools by category, and reports technical risk indicators only — not legal conclusions.

1. What CIPA Risk Scanner checks

  • Ad pixels (Meta, TikTok, LinkedIn)
  • Analytics scripts (Google Analytics / GA4)
  • Tag managers (Google Tag Manager)
  • Chat widgets (Intercom, Drift, Tawk, Crisp, Zendesk, LiveChat)
  • Heatmaps (Crazy Egg, Lucky Orange)
  • Session replay tools (Hotjar, FullStory, Microsoft Clarity, Mouseflow, Smartlook)
  • Consent banner indicators (OneTrust, Cookiebot, TrustArc, Osano, CookieYes, iubenda)

2. How the scanner works today

  • The submitted URL is normalized (scheme added, hostname validated)
  • The page HTML is fetched server-side with a clearly identified user agent
  • Known script patterns and third-party domains are searched in the HTML
  • Detected tools are grouped by category and de-duplicated
  • Confidence is assigned based on how many matching indicators were found
  • Results are returned as technical risk indicators — not legal conclusions

3. What confidence means

  • High confidence: multiple script patterns or domains were detected for the same tool
  • Medium confidence: one recognizable indicator was detected

4. What the Free Scan does not verify

  • The Free Scan does not execute JavaScript, so it cannot verify whether scripts actually fire before any consent interaction
  • It does not capture network requests made by the browser at runtime
  • It does not confirm whether tracking data was transmitted
  • It does not evaluate whether a consent banner is configured correctly
  • It does not determine whether a website meets legal requirements

5. Why a paid Snapshot adds value

The paid Snapshot organizes findings into a private dashboard with a risk summary, tracker inventory, priority fix list, technical evidence notes, and a print/save PDF option, so the business has a structured record to share with developers or counsel.

6. Why monitoring adds value later

The Website Black Box concept is intended to show changes over time, such as new trackers, removed trackers, consent indicator changes, and historical visibility, so the business can spot drift between scans.

7. Legal disclaimer

CIPA Risk Scanner is not a law firm and does not provide legal advice. Results are technical risk indicators only and should not be interpreted as a legal conclusion. For legal guidance, consult a qualified attorney.

8. Live Pre-Consent Firing Test (paid only)

Paid Snapshot and Monitoring customers can run the Live Pre-Consent Firing Test from their dashboard. It opens the tested URL in a controlled, headless browser session, observes outbound network requests during initial page load, and records which known tracking or analytics endpoints — if any — are contacted before any consent interaction. The session does not click Accept, Agree, or Allow. The result records whether a consent banner was visible, which tracker categories were observed, and the timing and domain of each request. Results are based on the tested URL, test time, page state, network behavior, and observable browser session, and represent technical evidence for review — not a legal determination.

Frequently asked questions

Is this legal advice?

No. CIPA Risk Scanner provides educational and technical risk-modeling information. It does not provide legal advice or determine legal compliance. For legal guidance, consult a qualified attorney.

What does CIPA Risk Scanner detect?

CIPA Risk Scanner looks for visible indicators of common website tracking tools, including pixels, analytics scripts, tag managers, chat widgets, heatmaps, session replay tools, and consent banner indicators.

Does the scanner execute JavaScript?

The Free Scan does not — it inspects the initial page HTML only. The paid Live Pre-Consent Firing Test does: it loads the tested URL in a real headless browser session and observes outbound network requests before any consent interaction. It does not click Accept, Agree, or Allow.

Does the scanner store my data?

Free scan results are session-scoped previews. Paid Snapshot deliverables are stored privately and linked to the customer's lead record.

Can a cookie banner still allow tracking tools to load?

A cookie banner does not automatically mean every script is blocked before visitor choice. Configuration matters, and technical review may be needed.

How accurate is the confidence label?

Confidence reflects how many script patterns matched for a given tool. It is a technical signal, not a probability of legal risk.

What does "observed before consent interaction" mean?

It means the Live Pre-Consent Firing Test recorded a network request to a known tracker endpoint during initial page load, before any Accept / Agree / Allow button was clicked. It is technical evidence captured during a live browser session, not a legal conclusion.

Scan Your Website

Run a free, plain-English scan of your homepage for visible tracking risk indicators.

Scan your website

Related reading

Trust note

CIPA Risk Scanner provides technical website tracking visibility. Our scanner is designed to help businesses understand visible tracking indicators, not to provide legal conclusions. For legal guidance, consult a qualified attorney.

CIPA Risk Scanner is not a law firm and does not provide legal advice. Content on this page is educational and technical. For legal guidance, consult a qualified attorney.