This is the report you get after a scan — the compliance score, the millisecond-by-millisecond tracker timeline, the evidence behind each finding, and the fix for each one. The data below is illustrative, for a fictional dental practice; the format is exactly what your real report uses.
The score reflects the site's current posture: each distinct pre-consent finding lowers it, and it recovers as findings are fixed and verified by a clean re-scan.
When each third-party tool first contacted its server, measured from page load. The consent banner rendered at T+900ms; no consent interaction occurred at any point during the capture — so everything below fired before a visitor could possibly have opted in.
| First fire | Tool | Initial request URL | Requests | Data sent |
|---|---|---|---|---|
| T+340ms | Meta Pixel | connect.facebook.net/en_US/fbevents.js | 6 | 4.2KB |
| T+610ms | Google Analytics 4 | www.googletagmanager.com/gtag/js?id=G-SAMPLE01 | 9 | 6.8KB |
| T+1,120ms | Hotjar (session recording) | script.hotjar.com/modules.xxxxxxx.js | 14 | 18.3KB |
| T+2,450ms | Live-chat widget | embed.chat-widget.example/loader.js | 5 | 2.9KB |
#cookie-banner, rendered T+900ms, Accept / Decline controls)
EnforcementNot enforcing — all four trackers above initiated network activity before the banner rendered
Bypass testAfter clicking “Decline,” the trackers stopped issuing new requests. The banner works once used — the problem is everything that fired before it.
#cookie-banner)Each real report ships with the raw evidence behind every line above: the full network log (network-log.json), the machine-readable findings summary (summary.json), before/after screenshots of the consent banner, and a recording.webm of the entire page load — so you can see for yourself exactly what fired and when.
Every finding pairs the evidence (what fired, when, on which page) with why it matters and what to do about it. Here are the three from the sample above.
The pixel loaded and reported the visit 340 milliseconds after page load — 560ms before the consent banner even rendered, and before any consent interaction. Sending visitor data to an ad platform ahead of a consent choice is the exact timing pattern cited in CIPA § 631 demand letters and in CCPA “sharing” analyses. That's a technical finding about timing, not a legal conclusion — but it's the finding plaintiff-side scanners look for first.
Session recording began before any consent interaction — on the page where prospective patients type appointment requests and contact details. Recorders capturing input on intake forms before consent are the core allegation of the session-replay lawsuit wave, and health-adjacent pages draw extra scrutiny.
The site did the right thing by installing a consent banner — it just isn't gating anything. The tags are hard-coded into the page, so they fire on load regardless of what the visitor chooses. This is the single most common gap we see: in our 2026 scan of 1,478 small-business sites, 58% fired at least one tracker before consent, and nearly all of them had some consent setup.
Under California Penal Code § 631, with statutory damages set by § 637.2, plaintiffs argue that every California visitor session recorded before consent is a separate violation worth up to $5,000. The report applies that math to your traffic so you can see the figure a demand letter would cite. For this fictional practice:
Illustrative assumption of 1,000 visitors/month with 12% from California → ≈120 California sessions/month → ≈1,440/year × $5,000 = a theoretical statutory ceiling of ≈$7.2M. That is the ceiling plaintiffs cite — not a prediction of what any business would owe, and not a legal conclusion. Real settlements are negotiated and vary widely; the point of the report is to remove the findings so the math stops applying at all.
Every finding comes with the specific fix, so remediation is an action list rather than a research project. For the sample findings above:
A report is a snapshot; sites don't stay snapshots. New marketing tags, plugin updates, and chat widgets get added constantly, and any one of them can silently undo a clean report. Monitoring re-scans your site on a schedule, emails you the moment a new tracker appears or starts firing before consent, sends a plain-language weekly compliance summary, and keeps the dated evidence history that shows your site was clean — and when.
See your own site's real report in 30 seconds.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.