When we say our scanner is "Based on official guidelines", we mean it. Every one of our 34+ compliance checks traces back to specific legal articles, regulatory guidance, or established case law. This transparency report details exactly which official sources power each category of our scanner.
Primary Legal Foundation
GDPR (Regulation EU 2016/679)
The General Data Protection Regulation is the cornerstone. Our scanner directly implements checks based on:
- Article 5 — Principles (lawfulness, fairness, transparency, data minimization)
- Article 6 — Lawfulness of processing (legal basis requirement)
- Article 7 — Conditions for consent (freely given, specific, informed, unambiguous)
- Article 13 & 14 — Information to be provided (privacy policy requirements)
- Article 17 — Right to erasure ("Right to be Forgotten")
- Article 25 — Data protection by design and by default
- Article 32 — Security of processing (technical and organizational measures)
- Article 35 — Data Protection Impact Assessment (DPIA)
ePrivacy Directive (2002/58/EC)
The "Cookie Law" provides specific rules on:
- Article 5(3) — Prior informed consent for storing/accessing information on terminal equipment
- Recital 24-25 — Confidentiality of communications and cookie requirements
This is the legal basis for our cookie consent checks: non-essential cookies absolutely cannot load before user consent.
European Data Protection Board (EDPB) Guidelines
The EDPB's Guidelines 05/2020 on consent (WP259) critically shapes our consent banner analysis:
- Consent must be freely given — no cookie walls allowed
- Consent must be as easy to withdraw as to give
- "Accept All" and "Reject All" must have equal prominence
- No pre-ticked boxes or assumed consent
- Granular consent options required for different purposes
National Data Protection Authority Guidelines
France: CNIL
- Cookie Guidelines 2020 — 13-month maximum cookie lifetime
- Consent Guidelines — Visual equality of accept/reject buttons
- Recommendation on Cookies — Technical cookies definition
UK: Information Commissioner's Office (ICO)
- Guidance on Cookies — "Consent must be freely given"
- Privacy by Design Guidelines — Technical implementation standards
Germany: BfDI and State DPA Guidelines
- DSGVO Implementation Guides — Technical and organizational measures
- Cookie Consent Requirements — Stricter than EU baseline
Technical Security Standards
ENISA & NIST Alignment
Our security headers and SSL checks align with:
- OWASP Secure Headers Project — CSP, HSTS, X-Frame-Options requirements
- NIST SP 800-52 — TLS implementation guidelines
- NCSC Guidelines — UK National Cyber Security Centre recommendations
What This Means for Your Audit
When you run our scanner, every flagged issue directly references its legal foundation:
COOKIES_BEFORE_CONSENT→ GDPR Art. 5(3) + ePrivacy DirectiveNO_REJECT_OPTION→ EDPB Guidelines 05/2020, CNIL GuidelinesPRE_CHECKED_BOXES→ GDPR Art. 7 + EDPB Recital 32MISSING_CSP→ GDPR Art. 32 (security of processing)SSL_INVALID→ GDPR Art. 32 + technical standards
Want to see these checks in action?
Run Free GDPR Scan →All 34+ checks backed by official regulatory guidance
Our Commitment to Accuracy
We continuously update our scanner as guidelines evolve. Recent updates include:
- May 2026: Updated to 34+ checkpoints after CNIL 2025 cookie lifetime guidance
- March 2026: Added TCF 2.0 API detection per IAB Europe updates
- February 2026: Enhanced consent banner prominence testing per latest EDPB guidance
Our legal team reviews regulatory updates monthly to ensure your audit reflects current requirements.