CIPA Risk ScannerPowered by HealSprings Tech
Scan

Methodology

How CIPA Risk Scanner Scans Websites

Quick answer

CIPA Risk Scanner inspects a submitted page's HTML for known third-party tracking script patterns and consent banner indicators, groups detected tools by category, and reports technical risk indicators only — not legal conclusions.

1. What CIPA Risk Scanner checks

  • Ad pixels (Meta, TikTok, LinkedIn)
  • Analytics scripts (Google Analytics / GA4)
  • Tag managers (Google Tag Manager)
  • Chat widgets (Intercom, Drift, Tawk, Crisp, Zendesk, LiveChat)
  • Heatmaps (Crazy Egg, Lucky Orange)
  • Session replay tools (Hotjar, FullStory, Microsoft Clarity, Mouseflow, Smartlook)
  • Consent banner indicators (OneTrust, Cookiebot, TrustArc, Osano, CookieYes, iubenda)

2. How the scanner works today

  • The submitted URL is normalized (scheme added, hostname validated)
  • The page HTML is fetched server-side with a clearly identified user agent
  • Known script patterns and third-party domains are searched in the HTML
  • Detected tools are grouped by category and de-duplicated
  • Confidence is assigned based on how many matching indicators were found
  • Results are returned as technical risk indicators — not legal conclusions

3. What confidence means

  • High confidence: multiple script patterns or domains were detected for the same tool
  • Medium confidence: one recognizable indicator was detected

4. What CIPA Risk Scanner does not verify yet

  • Whether a visitor clicked Accept or Reject
  • Whether scripts fire before or after consent
  • Whether tracking data was actually transmitted
  • Whether a consent banner is configured correctly
  • Whether a website meets legal requirements

5. Why a paid Snapshot adds value

The paid Snapshot organizes findings into a private dashboard with a risk summary, tracker inventory, priority fix list, technical evidence notes, and a print/save PDF option, so the business has a structured record to share with developers or counsel.

6. Why monitoring adds value later

The Website Black Box concept is intended to show changes over time, such as new trackers, removed trackers, consent indicator changes, and historical visibility, so the business can spot drift between scans.

7. Legal disclaimer

CIPA Risk Scanner is not a law firm and does not provide legal advice. Results are technical risk indicators only and should not be interpreted as a legal conclusion. For legal guidance, consult a qualified attorney.

8. Future direction: deeper pre-consent behavior verification

Today, CIPA Risk Scanner focuses on visible technical indicators, Snapshot reporting, developer handoff, and tracker drift monitoring. A future upgrade may add deeper pre-consent behavior verification, such as comparing visible scripts, cookies, and network behavior before and after consent interactions. This is not part of the current MVP unless explicitly stated.

Frequently asked questions

Is this legal advice?

No. CIPA Risk Scanner provides educational and technical risk-modeling information. It does not provide legal advice or determine legal compliance. For legal guidance, consult a qualified attorney.

What does CIPA Risk Scanner detect?

CIPA Risk Scanner looks for visible indicators of common website tracking tools, including pixels, analytics scripts, tag managers, chat widgets, heatmaps, session replay tools, and consent banner indicators.

Does the scanner execute JavaScript?

No. The current Real Scanner Lite inspects the initial page HTML only. It does not execute JavaScript, take screenshots, or crawl additional pages.

Does the scanner store my data?

Free scan results are session-scoped previews. Paid Snapshot deliverables are stored privately and linked to the customer's lead record.

Can a cookie banner still allow tracking tools to load?

A cookie banner does not automatically mean every script is blocked before visitor choice. Configuration matters, and technical review may be needed.

How accurate is the confidence label?

Confidence reflects how many script patterns matched for a given tool. It is a technical signal, not a probability of legal risk.

Scan Your Website

Run a free, plain-English scan of your homepage for visible tracking risk indicators.

Scan your website

Related reading

Trust note

CIPA Risk Scanner provides technical website tracking visibility. Our scanner is designed to help businesses understand visible tracking indicators, not to provide legal conclusions. For legal guidance, consult a qualified attorney.

CIPA Risk Scanner is not a law firm and does not provide legal advice. Content on this page is educational and technical. For legal guidance, consult a qualified attorney.