Free scan
Sample Sample report — illustrative data for a fictional business. sample-dental-practice.example.com does not exist; every number below is made up to show the report format. Run a real scan of your own site free →
Sample report

What a RegSentry evidence report looks like

This is the report you get after a scan — the compliance score, the millisecond-by-millisecond tracker timeline, the evidence behind each finding, and the fix for each one. The data below is illustrative, for a fictional dental practice; the format is exactly what your real report uses.

Illustrative sample
RegSentry
Website Privacy Evidence Report
Subject site (fictional)
Domainsample-dental-practice.example.com BusinessSample Dental Practice (fictional) IndustryDental Scan dateJuly 8, 2026 (illustrative) Browser engineChromium (Playwright), headless, cold cache, no user account Pages captured/ (homepage) and /book-appointment Network requests142 total · 38 script requests Consent statusBanner detected — but trackers fired before any consent interaction
Compliance score
31/100
High risk · 3 findings

The score reflects the site's current posture: each distinct pre-consent finding lowers it, and it recovers as findings are fixed and verified by a clean re-scan.

First network contact per tracker

When each third-party tool first contacted its server, measured from page load. The consent banner rendered at T+900ms; no consent interaction occurred at any point during the capture — so everything below fired before a visitor could possibly have opted in.

First fireToolInitial request URLRequestsData sent
T+340msMeta Pixelconnect.facebook.net/en_US/fbevents.js64.2KB
T+610msGoogle Analytics 4www.googletagmanager.com/gtag/js?id=G-SAMPLE0196.8KB
T+1,120msHotjar (session recording)script.hotjar.com/modules.xxxxxxx.js1418.3KB
T+2,450msLive-chat widgetembed.chat-widget.example/loader.js52.9KB
Consent banner analysis
CMP / bannerDetected (selector #cookie-banner, rendered T+900ms, Accept / Decline controls) EnforcementNot enforcing — all four trackers above initiated network activity before the banner rendered Bypass testAfter clicking “Decline,” the trackers stopped issuing new requests. The banner works once used — the problem is everything that fired before it.
Compliance checklist
  • Consent banner present — found (#cookie-banner)
  • Consent banner effective — trackers fired before it rendered
  • Privacy policy linked — found in footer
  • Opt-out mechanism — not detected
  • Data subject request (DSAR) process — not detected
Evidence package

Each real report ships with the raw evidence behind every line above: the full network log (network-log.json), the machine-readable findings summary (summary.json), before/after screenshots of the consent banner, and a recording.webm of the entire page load — so you can see for yourself exactly what fired and when.

The findings, one by one

Every finding pairs the evidence (what fired, when, on which page) with why it matters and what to do about it. Here are the three from the sample above.

Finding 1 — Meta Pixel fired before consent High
T+340ms · https://sample-dental-practice.example.com/ · GET connect.facebook.net/en_US/fbevents.js → POST facebook.com/tr (PageView: page URL + browser metadata)

The pixel loaded and reported the visit 340 milliseconds after page load — 560ms before the consent banner even rendered, and before any consent interaction. Sending visitor data to an ad platform ahead of a consent choice is the exact timing pattern cited in CIPA § 631 demand letters and in CCPA “sharing” analyses. That's a technical finding about timing, not a legal conclusion — but it's the finding plaintiff-side scanners look for first.

Finding 2 — Hotjar session recording started pre-consent High
T+1,120ms · https://sample-dental-practice.example.com/book-appointment · recording module loaded from script.hotjar.com; interaction capture (mouse movement, scrolling, keystroke metadata) began while the new-patient booking form was on screen

Session recording began before any consent interaction — on the page where prospective patients type appointment requests and contact details. Recorders capturing input on intake forms before consent are the core allegation of the session-replay lawsuit wave, and health-adjacent pages draw extra scrutiny.

Finding 3 — Consent banner present but not enforcing Medium
#cookie-banner rendered at T+900ms with Accept/Decline · 4 trackers initiated network activity at T+340ms–T+2,450ms with no consent interaction

The site did the right thing by installing a consent banner — it just isn't gating anything. The tags are hard-coded into the page, so they fire on load regardless of what the visitor chooses. This is the single most common gap we see: in our 2026 scan of 1,478 small-business sites, 58% fired at least one tracker before consent, and nearly all of them had some consent setup.

How the exposure framing works

Under California Penal Code § 631, with statutory damages set by § 637.2, plaintiffs argue that every California visitor session recorded before consent is a separate violation worth up to $5,000. The report applies that math to your traffic so you can see the figure a demand letter would cite. For this fictional practice:

Illustrative assumption of 1,000 visitors/month with 12% from California → ≈120 California sessions/month → ≈1,440/year × $5,000 = a theoretical statutory ceiling of ≈$7.2M. That is the ceiling plaintiffs cite — not a prediction of what any business would owe, and not a legal conclusion. Real settlements are negotiated and vary widely; the point of the report is to remove the findings so the math stops applying at all.

Remediation steps in the report

Every finding comes with the specific fix, so remediation is an action list rather than a research project. For the sample findings above:

  1. Gate the Meta Pixel behind consent. Move the pixel out of the hard-coded page source and load it through your CMP's prior-blocking (or Google Tag Manager with consent mode), so it fires only after a visitor accepts.
  2. Require consent before Hotjar records. Enable Hotjar's consent-based activation or load it via the CMP, and suppress capture on the booking-form fields either way.
  3. Make the banner actually block. A banner that renders after the trackers fire isn't gating anything — wire every tag through the CMP so nothing loads until a choice is made, and add the missing opt-out and DSAR mechanisms while you're in there.
  4. Re-scan to document the fix. A timestamped clean re-scan is your dated evidence that the issue was found and corrected — the good-faith record you want on file if a demand letter ever arrives.

What continuous monitoring adds

A report is a snapshot; sites don't stay snapshots. New marketing tags, plugin updates, and chat widgets get added constantly, and any one of them can silently undo a clean report. Monitoring re-scans your site on a schedule, emails you the moment a new tracker appears or starts firing before consent, sends a plain-language weekly compliance summary, and keeps the dated evidence history that shows your site was clean — and when.

See your own site's real report in 30 seconds.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Scan my site free See monitoring plans ($99/mo)