No cookies set before consent
Load the page in a fresh browser with no cookies. Check the Network tab — no analytics, advertising, or tracking cookies should fire before you interact with the banner.
Reject All button present & equally prominent
The cookie banner must offer a Reject All option at the same level as Accept All. If Reject All requires an extra click, this is a dark pattern.
HTTPS enforced on all pages
Type http:// before the URL. You should be automatically redirected to https://. Check the padlock icon and verify the SSL certificate is valid and not self-signed.
Privacy Policy accessible from every page
Check the footer of every page — there must be a clearly labelled "Privacy Policy" link. It should open a dedicated, readable policy page (not a pop-up with minimal text).
Privacy Policy contains all mandatory elements
The policy must identify the data controller, list processing purposes with legal basis, disclose recipients, state retention periods, and describe all data subject rights.
Content Security Policy (CSP) header present
Open browser DevTools → Network → click the main document → Headers. Look for "content-security-policy". Missing CSP is a critical XSS vulnerability and GDPR Art. 32 gap.
Contact / lead forms collect only necessary data
Review each form on the website. Are all fields strictly necessary? A contact form asking for date of birth, phone, or company revenue alongside a message is likely violating data minimisation.
Marketing opt-in is unbundled and unticked by default
On any newsletter or registration form, the marketing consent checkbox must be: (1) separate from T&C acceptance, (2) unticked by default, (3) clearly labelled with the specific purpose.
Third-party scripts disclosed in Privacy/Cookie Policy
Using Google Analytics, Meta Pixel, LinkedIn Insight Tag, Hotjar, or Intercom? Each must be disclosed in the privacy or cookie policy with its purpose, legal basis, and data transfer details.
Data Subject Rights request mechanism exists
There must be a clear, accessible way for users to exercise their rights (access, erasure, portability). A generic contact email is barely sufficient — a dedicated form is best practice.
Flash Audit Results
Your Flash Audit is complete.
This 10-check assessment covers only the most visible compliance signals. A full audit examines 107 checks across 9 domains — including legal basis mapping, DPIA screening, transfer impact assessments, and security headers.
DPO Advisors · dpoadvisors.com · contact@dpoadvisors.com
This flash audit does not constitute legal advice. It reflects the state of the website as assessed on the date of completion.