DxtraBETA
Back to blog
Regulations July 2026 7 min read

How a privacy scan reads a site the way a regulator does — and why the method is open

An evidence-first look at Dxtra's privacy scanner: what it observes on a site's public surface, how each finding maps to a named source, and why the methodology and regulatory reference are published openly.

A regulator's first move on a new complaint is usually the same: open the controller's public privacy surface and read it. The privacy notice, the cookie banner's actual behavior, the route a data subject would use to exercise a right. A generic template notice, a pre-ticked consent box, trackers firing before any choice is made — each raises the suspicion dial, because each is observable evidence, not a claim.

Dxtra's privacy scanner is built to read that same surface, produce that same class of evidence, and — critically — show its working. This piece sets out what it observes, how a finding is substantiated, and where the method is published for inspection.

What the scanner observes

The scan is confined to a site's public surface — the pages, notices, and behaviors any visitor or investigator can see without access or authentication. Within that boundary it records:

  • The privacy notice: presence, substance, and whether it resolves to concrete, named disclosures rather than a generic template. It reads the notice text itself rather than inferring from the page's existence.
  • Consent and cookie behavior: whether a banner requests consent or assumes it; whether non-essential trackers and advertising/marketing pixels fire before a choice is made; and whether they continue to fire after a "Reject All" selection or a Global Privacy Control signal.
  • Data-subject-rights routes: whether a visitor has a discoverable path to exercise access, deletion, and related rights, and whether a Transparency Center or equivalent is published.
  • Cross-border and automated-processing disclosures: whether transfers and AI/automated-decision uses are named.

Two design choices make the observation more like a supervisory read than an automated cookie sniff. First, the check runs live from an in-country vantage: Dxtra drives a real browser egressing through a residential IP in the target region, so it observes what a data subject in that jurisdiction actually experiences — a material distinction, since consent surfaces and tag behavior frequently vary by visitor location. Second, the applicable regime is selected from the site's real-world nexus — GDPR, UK GDPR and PECR, CCPA/CPRA, Australia's Privacy Act, Singapore's PDPA, Japan's APPI — rather than assumed.

How a finding is substantiated

The evidentiary discipline is the point. Three constraints govern every finding.

Each finding maps to a named source and a specific remediation. Findings are assessed under a published methodology (Dxtra Scanner Methodology) with a companion Regulatory Reference, and are anchored to the NIST Privacy Framework and ISO/IEC 27701. A finding is not a bare assertion that something is "wrong"; it is a mapped observation with a cited basis.

The narrative is grounded in the site's own text. The report's summary and per-finding detail are generated only from the site's own notice and observed behavior. The system does not fabricate a citation, a finding, a fine, or a date. Where something cannot be verified from the surface, the report records that limitation rather than filling it.

The output states its own scope. The result is presented as a risk band (Low / Medium / High) with a secondary capability-maturity indicator — explicitly an indicator, not a determination of compliance. The free result is labeled a preliminary surface read; the fuller report follows a deeper analysis of the notice. The report is marked as diagnostic and not legal advice. This matters to an assessor precisely because a tool that claimed to certify compliance would be less credible, not more — compliance is a determination reserved to regulators and the courts, and the scanner does not trespass on it.

Two observations from real sites

The method is easier to judge against concrete output than in the abstract.

A US-based Shopify apparel store, read from a UK vantage, returned a High band: five high-severity findings and two medium, alongside one control worth recognizing. The substantiated drivers were advertising and marketing pixels firing before consent, a banner treating continued browsing as consent, a marketing-list signup lacking a stated consent basis, and a privacy notice not updated in over two years.

A reputable UK country-house hotel — the kind of established brand an assessor might assume is in order — returned a High band as well: trackers set before any consent choice, and both cookie and non-cookie trackers, including ad/marketing pixels, that continued to fire after a Reject-All selection — meaning the site's own consent control did not change what actually loaded. The preliminary surface pass alone recorded eleven trackers firing before consent. The value to an assessor is not the verdict; it is that each element is an observed, reproducible behavior rather than an inference.

The hotel's preliminary result — a High risk band with the capability-maturity read and confirmed finding counts.
The hotel's preliminary result — a High risk band with the capability-maturity read and confirmed finding counts.
The hotel's full report — each finding mapped to a named regulatory source and a specific remediation, with the post-Reject-All tracker behaviour recorded.
The hotel's full report — each finding mapped to a named regulatory source and a specific remediation, with the post-Reject-All tracker behaviour recorded.

Why the method is published

The scanner's methodology and regulatory reference are open-source and public, at docs.dxtra.ai. Two reasons matter to this audience.

First, inspectability. An assessor, auditor, or supervisory officer can read exactly how a finding is reached before giving it any weight — the rule, the source, the mapping. A method you can audit is a method you can rely on or challenge on its merits.

First-order transparency also extends to Dxtra's own practice. At the point the scanner asks a user for an email to unlock a fuller report, it names its processor, lists every identifier it handles, and offers explicit opt-in with a link to its Transparency Center — the same evidence it looks for in others. A tool that assesses transparency should be able to withstand the assessment it applies.

Second, discoverability. Publishing the method openly means it surfaces in LLM and AI-assisted research, so a professional evaluating the tool — or a controller's adviser evaluating a finding — reads the actual method rather than a summary of it.

Where this fits an assessor's work

Dxtra does not position the scan as a substitute for supervisory judgment or a formal audit. It is a fast, reproducible, evidence-first read of a controller's public posture — useful for triage, for a first pass across a vertical, and as a shared reference point in a conversation with a controller who needs to see the gap before they close it. For controllers, the same platform provides the route from a flagged gap to a published, defensible posture — including a Transparency Center and consent records that an assessor can read in minutes rather than request and wait for.

For readers who assess rather than operate, the methodology and regulatory reference are the substantive starting point.

The scan reads public surface only. It is a diagnostic indicator, not legal advice and not a determination of compliance.

Ready to get compliant?

Start your privacy program today — from $10/month.