Point CairnScan at any website and get a 15-section forensic report in under five minutes. A five-pass scan documents your site's actual consent behavior — pre-consent, after Accept All, after Reject All, under a Global Privacy Control signal, and across internal pages — scored against 37 privacy jurisdictions. Mobile app assessment is in development. Unlike tools and platforms that double as both CMP and auditor (a conflict of interest), and/or those that simply list the cookies you have, CairnScan objectively shows you what a regulator would find, what a plaintiff's attorney would argue, and exactly what to fix.
37 regulatory frameworks, plus the EU ePrivacy Directive, US CIPA, US COPPA and US GPC signal testing. Automatic multi-jurisdiction detection.
See the full jurisdiction list →Not a CMP vendor. Not a cookie scanner. An independent forensic auditor.
We audit OneTrust, Cookiebot, CookieYes, and every other consent platform. No CMP vendor will build this tool objectively — because it exposes failures in their own product. Normetics builds CairnScan as an unbiased independent auditor for consent platforms and privacy stacks.
Designed by Normetics, a company focused on responsible AI and regulatory technology, CairnScan documents every finding with SHA-256 hashed screenshots, a timestamped action log, and reproducible browser evidence — the format regulators cite in enforcement actions.
The same website or mobile app gets different grades under GDPR vs CCPA vs multiple other regimes. We detect applicable jurisdictions automatically and score against each one — including GPC testing, where applicable.
Select the jurisdiction where your company is based. CairnScan automatically detects additional applicable jurisdictions from your privacy policy, domain, and legal documents.
Results in 1 – 5 minutes.
We observe what an app actually does at runtime and compare it to what it declared — App Store / Play Store labels, privacy manifests, policy text — in a signed, timestamped evidence artifact. No source code, no developer access. We're choosing early design partners now. A few quick questions help us build the right thing.
If you flagged an active or recent need, we'll reach out directly within a few days to learn more and offer a first assessment. Thank you for helping shape it.
23 automated checks across cookie compliance and privacy infrastructure.
Privacy Setup Checks
Privacy policy, terms of service, cookie policy, and accessibility statement — verified across common URL paths.
Whether required legal pages are linked from the footer of every page, not buried or missing.
"Do Not Sell or Share" link detection — required if you share visitor data with advertising platforms.
A persistent cookie preferences link so users can change their consent after the initial banner disappears.
Forms collecting email addresses checked for consent checkboxes, pre-checked dark patterns, and privacy links.
Analyzes your privacy policy against 13 required GDPR disclosure elements with sub-element analysis.
Automatic identification of all applicable jurisdictions from your domain, privacy policy, hreflang tags, and legal documents.
Determines your primary legal obligation from governing law clauses, corporate entity suffixes, and physical address patterns.
Flags child-directed signals — content and keyword cues, advertising trackers, a privacy policy silent on children, and a registration flow — that raise COPPA obligations.
Checks recipient vendors for EU-US Data Privacy Framework certification and detects the transfer mechanism your policy relies on, such as Standard Contractual Clauses.
Verifies a working data-subject-rights mechanism and a contact method so visitors can actually exercise their access, deletion, and correction rights.
Inspects the CMP consent receipt via its browser-side API for a timestamp and granular, category-level consent choices.
Detects processing activities — pre-consent tracking, behavioral profiling, undisclosed recipients, and unsafeguarded cross-border transfers — that trigger a mandatory Data Protection Impact Assessment.
Mobile app assessment (in development)
A declared-vs-observed runtime assessment of app-store binaries is in development as the mobile counterpart to the website scan. Not yet live; join the early-access list from the scan section.
The free scan gives you your compliance grade and headline findings. Paid tiers go deeper.
All plans are provided by Normetics LLC. Reports include timestamped forensic evidence with SHA-256 integrity hashes.
OneTrust, Cookiebot and CookieYes are Consent Management Platforms — they implement the consent banner. CairnScan is an independent auditor — we test whether their implementation actually works. We open a fresh browser, click Reject All, and document every cookie that persists. No CMP vendor will build this tool because it exposes failures in their own product. Beyond consent testing, CairnScan analyzes dark patterns with measured CSS evidence, checks your privacy policy against 13 GDPR-required disclosure elements, tests GPC signal compliance, and provides jurisdiction-specific scoring across 37 regulatory frameworks.
GDPR (EU), UK GDPR + PECR, nFADP (Switzerland), CCPA/CPRA (US), PIPA (South Korea), APPI (Japan), PDPA (Singapore), LGPD (Brazil), DPDP Act (India), Privacy Act (Australia), PIPEDA (Canada), Quebec Law 25, Privacy Act 2020 (New Zealand), PIPL (China), 152-FZ (Russia), PDPA (Thailand), KVKK (Turkey), Privacy Protection Law (Israel), POPIA (South Africa), Law 25,326 (Argentina), Law 1581 (Colombia), Ley 29733 (Peru), Ley 18.331 (Uruguay), NDPA (Nigeria), PDPA (Taiwan), PDPL (Saudi Arabia), Federal PDPL (UAE), DPL No. 151 (Egypt), DPA 2019 (Kenya), DPA 2012 (Ghana), DPPA 2019 (Uganda), LFPDPPP (Mexico), Data Protection Law (Chile), Data Privacy Act 2012 (Philippines), PDPA 2010 (Malaysia), PDPL (Vietnam), and PDP Law 2022 (Indonesia). CairnScan automatically detects which jurisdictions apply based on your privacy policy content, domain signals, hreflang tags, and company location. GPC signal compliance is tested against the legal requirements of US states. We also assess US-specific exposure under CIPA (California wiretapping/pen-register) and COPPA (children's privacy).
Yes. The scan uses a standard headless browser — the same technology Google uses to index your site. It sends normal HTTP requests, clicks your consent banner, and observes the response. It does not modify your site, inject code, or access any authenticated areas.
Only you. Your report is delivered to the email address you provide and retained in accordance with our Privacy Policy; you may request deletion at any time. We do not publish, share, or sell scan results. Full details in our Privacy Policy.
You get an instant summary report with your compliance grade, cookie breakdown, reject-path test result, and privacy setup findings. For the full 15-section report — complete cookie inventory, visual evidence, dark-pattern analysis, policy adequacy review, CIPA exposure, and a phased remediation roadmap — order the Full Report directly from the pricing section.
Mobile app assessment is in development. The website scan is live today; the mobile counterpart — a declared-vs-observed runtime assessment of app-store binaries — is in early access. Join the list from the scan section.
The report includes SHA-256 hashed screenshots, a timestamped forensic action log, and per-cookie penalty transparency — the evidence format regulators reference in enforcement actions. It is designed to be shared with legal counsel or attached to a regulatory filing. However, it is a technical assessment, not legal advice.
The free scan gives you both compliance grades and headline findings. The Full Report delivers diagnostic and remediation together as one document — complete technical evidence, prioritized remediation plan with timelines, and CMP configuration guidance. Custom pricing covers multi-property portfolios, recurring programs, consultants, and bespoke scope. Continuous Monitoring (coming soon) replaces point-in-time scans with always-on tracking — monthly re-scans, drift alerts, and delta reporting.
CairnScan is developed and operated by Normetics LLC, a US-based company focused on building digital products and providing advisory services in the intertwined areas of responsible AI and regulatory technology.