Privacy Audit: a beginner's guide
Cookies, trackers, and compliance analysis
Web privacy audits: what regulators actually look at on your site
A web privacy audit is the systematic check of whether a website complies with the privacy laws and regulations that apply to its visitors. The two laws most often cited are the General Data Protection Regulation (GDPR) in the European Union (in force since 2018) and the California Consumer Privacy Act (CCPA), later expanded into the California Privacy Rights Act (CPRA) (in force since 2023). Beyond those, there are similar laws in Canada (PIPEDA), Brazil (LGPD), Japan (APPI), Australia (Privacy Act), and a growing number of US states (Virginia, Colorado, Connecticut, Utah, etc.). A privacy audit checks whether the website is doing the things these laws require — and not doing the things they forbid.
You should care because privacy fines are existential at the upper end and embarrassing at the lower end. The largest GDPR fines on record (against Meta, Amazon, and TikTok) have been in the hundreds of millions of euros each. Even small companies have been fined six figures for things as ordinary as having a cookie banner that pre-checked the consent boxes, or running Google Analytics without explicit user consent. The most common audit findings are not exotic legal interpretations — they are basic hygiene failures that any site can fix in a day.
The five things every privacy audit looks at:
Cookies before consent. Are any non-essential cookies being set before the user accepts the cookie banner? This is the single most common GDPR violation. Analytics cookies, advertising cookies, and most third-party cookies all require prior consent.
Cookie banner quality. Is there a banner at all? Does it offer a real "reject all" option (not just "accept all" plus a hidden settings page)? Is consent recorded and stored?
Third-party trackers. Which trackers does the page load (Google Analytics, Facebook Pixel, Hotjar, Mixpanel, etc.) and have they been disclosed in the privacy policy?
Privacy policy presence and quality. Is there a privacy policy link in the footer? Does it actually disclose what data is collected, why, and how to opt out?
Data subject rights. Is there a clear way for a user to request their data, delete their data, or object to processing — as required by GDPR?
Three questions a privacy audit answers:
Are there any obvious GDPR or CCPA violations on my website right now?
Is my cookie banner actually compliant, or is it the kind that has been fined repeatedly?
For a legal questionnaire from a customer or partner, what is my current privacy posture in concrete terms?
The cost of skipping privacy audits is the small but real risk of a fine, plus the larger risk of failing customer security questionnaires and losing deals. The fix is mostly a matter of configuring the cookie banner correctly and making sure the third-party trackers respect the consent state. The official GDPR text lives at gdpr.eu and the CCPA at the California Attorney General's office.
The Privacy Audit endpoint, in plain language
In one sentence: Cookies, trackers, and compliance analysis
Analyzes cookies, consent management sophistication, privacy policy content, third-party trackers, CCPA/CPRA compliance signals, and cookie wall detection for privacy regulation readiness assessment. Checks for GDPR (General Data Protection Regulation) elements in privacy policy content (data rights, legal basis, DPO (Data Protection Officer), transfer mechanisms) and CCPA (California Consumer Privacy Act) terms (California disclosures, right to know/delete). Note: this is a static HTML (HyperText Markup Language) analysis that detects compliance signals and documentation presence — it cannot verify cookie-blocking behavior before consent or test opt-out mechanism functionality, which require browser-based testing.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Performs a privacy audit: inventories first-party and third-party cookies with security attributes (Secure, HttpOnly, SameSite), detects consent management platforms with sophistication analysis (IAB TCF API (Application Programming Interface), granular consent categories, reject-all buttons, Google Consent Mode v2), fetches and analyzes privacy policy content for GDPR (General Data Protection Regulation) terms (data rights, legal basis, DPO (Data Protection Officer) contact, transfer mechanisms) and CCPA (California Consumer Privacy Act) terms (California disclosures), identifies third-party trackers by category, evaluates CCPA signals (Do Not Sell link detection), detects cookie walls (GDPR/ePrivacy violation), and computes enhanced compliance indicators for GDPR and CCPA readiness based on substantive content analysis. Returns a score, grade, per-component breakdown, and actionable recommendations.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Privacy Audit tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Privacy regulations (GDPR (General Data Protection Regulation), CPRA (California Privacy Rights Act), ePrivacy Directive (EU ePrivacy Directive)) carry significant fines for non-compliance. Websites frequently add tracking scripts without proper consent mechanisms. This audit provides the visibility needed to maintain compliance.
Picture this in real life. Imagine a data protection officer. Here's the situation they're walking into: Audit websites for tracking technologies that require consent under GDPR (General Data Protection Regulation). Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Privacy Audit tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Privacy Audit tool is built for you:
Does my website meet the legal requirements (accessibility, privacy, international standards)?
If a regulator audited my site tomorrow, what would they find?
Where are the gaps I should fix before they become an expensive problem?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Legal and compliance teams, accessibility officers, data-protection officers, and product managers shipping into regulated markets. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you discover the violation when a regulator, a lawyer, or an angry customer finds it for you. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/domain/privacy-audit`.
When would I actually use this?
If you're still on the fence about whether the Privacy Audit tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a data protection officer, a privacy engineer, and a privacy analyst — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: GDPR Compliance Check
Imagine you're a data protection officer. Audit websites for tracking technologies that require consent under GDPR (General Data Protection Regulation).
Why it matters: Identify compliance gaps before they result in regulatory fines.
Story 2: Cookie Audit
Imagine you're a privacy engineer. Inventory all cookies set by the website including third-party cookies and security attributes.
Why it matters: Maintain an accurate cookie inventory for privacy notices.
Story 3: Vendor Privacy Assessment
Imagine you're a privacy analyst. Evaluate vendor websites for tracker usage and consent management as part of procurement.
Why it matters: Assess vendor privacy practices before sharing user data.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Privacy Audit tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Before launching into a new region (especially the EU, the UK, California, or Canada).
During a quarterly compliance review.
When a customer or partner sends you a security questionnaire.
In response to a complaint, audit notice, or legal threat.
If you can see yourself in even one of those bullets, the Privacy Audit tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Privacy Audit tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Privacy Audit tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/domain/privacy-audit?domain=example.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to audit privacy for | example.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The audited domain |
cookies | object | Cookie inventory: first-party, third-party, session, persistent |
consentManagement | object | Consent banner detection: provider, IAB TCF API (Application Programming Interface), granular consent categories, reject-all button, Google Consent Mode v2, cookie wall detection |
privacyPolicy | object | Privacy policy presence, URL (web address), and content analysis (GDPR/CCPA term detection) |
thirdPartyTrackers | object | Tracker inventory by category |
ccpa | object | CCPA (California Consumer Privacy Act) compliance signals: Do Not Sell link detection and URL (web address) |
complianceIndicators | object | GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) readiness flags including Do Not Sell link and cookie wall detection |
score | number | Privacy score 0-100 |
grade | string | Letter grade A-F |
gradeDescription | string | Human-readable description of the grade (e.g., "Very Good - strong posture") |
breakdown | object | Per-component score breakdown: cookieSecurity (20), consentQuality (25), privacyPolicy (12), trackerCount (13), firstPartyOnly (10), ccpaSignals (12), cookieWall (8) |
recommendations | array | Privacy improvement actions |
confidence | object | Result confidence indicator: level (high/medium/low) and limitations list |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
API (Application Programming Interface) — A way for one program to ask another program for something — like a waiter taking your order to the kitchen.
GDPR (General Data Protection Regulation) — Europe's privacy law. Requires websites to be transparent about what personal data they collect and how they use it.
CCPA (California Consumer Privacy Act) — California's privacy law. Gives California residents the right to know what personal data a company has collected about them.
HTML (HyperText Markup Language) — The basic language web pages are written in. The tags you see in the source code (<h1>, <p>, <a>) are HTML.
CPRA (California Privacy Rights Act) — An update to California's CCPA privacy law that adds new rights for residents and creates a dedicated privacy regulator. Took effect in 2023.
DPO (Data Protection Officer) — A person designated inside a company to oversee its compliance with privacy laws like GDPR. Required for many organizations that handle large amounts of personal data.
ePrivacy Directive (EU ePrivacy Directive) — An EU privacy law specifically about electronic communications and tracking technologies like cookies. The reason every European website asks you to accept cookies.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.