Methodology · how we score

How Dxtra reads your site the way a regulator does.

The scanner is a diagnostic indicator, not a legal opinion. It reads only what is public, maps what it observes to named regulator sources and recognised control frameworks, and returns a Low / Medium / High risk band as the headline — with a secondary 0–100 maturity indicator, never a single grade. Here is exactly how.

What the scan is — and isn't

Dxtra reads your public surface and assesses it against the obligations a regulator would expect to see evidenced there. It is an automated indicator that points you to where attention is likely needed. It is not legal advice and not a determination that any law has been breached — that is a judgement only a qualified privacy professional can make on the full facts.

Because it works from the outside, the scanner cannot see your contracts, internal records, processing purposes, or anything behind a login. The absence of something on your public surface is treated as a prompt to check, not as proof of non-compliance.

The three scan agents

Every scan runs three agents over your public surface, each with a clearly defined job:

Surface Agent — reads your public pages (homepage, footer, policy links) as static HTML, discovering your privacy notice, rights routes and other published material.

Browser Agent — drives a real headless browser to observe live behaviour: cookies, trackers and marketing pixels before any consent, plus a simulated Reject All and a Global Privacy Control signal. All tracker and consent evidence is attributed to this agent.

Policy AI — reads your privacy notice for the substance regulators expect (rights, transfers, retention, contacts and disclosures). Deep policy analysis is attributed to the Policy AI.

The headline is a risk band — the number is just a progress meter

Every scan returns one of three risk bandsLow, Medium or High. The band is the headline and the only thing that carries weight. It is set by the count of confirmed high- and medium-severity findings under the methodology's Appendix B thresholds, scored across the jurisdictions that apply to your site.

The headline
Risk band

Low / Medium / High, driven by confirmed findings. This is what you act on.

Secondary
0–100 maturity

How far your public surface is from the 91/100 verified-badge threshold. A progress meter, not a grade.

We show a 0–100 figure alongside the band, but it is deliberately secondary. It is a capability-maturity indicator: a measure of how much of a credible privacy programme is already evidenced on your public surface, and how far that is from the 91/100 threshold a site needs to reach to earn a Dxtra verified badge. It is not a regulatory determination, not a grade or league-table position, and it never changes the band. Two sites in the same band can show different numbers simply because one has more above-baseline practice visible.

Sites that process higher-sensitivity data — health, biometric, financial, child-directed, AI significant-decisioning, or Washington MHMDA scope — are assessed against tightened bands, because regulators expect more of them: a single high-severity finding can place such a site in the High band.

Commendable practices (above-baseline things you already do well — a transparency hub, a published sub-processor list) are recognised and can lift the 0–100 figure, but they are informational only — they never move the risk band.

What Low, Medium and High mean

The band is set purely by how many confirmed High and Medium findings your public surface shows, under the methodology's Appendix B thresholds. Higher-sensitivity sites are held to the tightened column on the right, because regulators expect more of them.

BandStandard siteElevated-sensitivity site
Low0 high, 0-2 medium0 high, 0-1 medium
Medium0-1 high, 3+ medium0 high, 2+ medium
High2+ high1+ high

A site is treated as elevated when the scan sees any of these triggers: health, biometric, financial, child-directed, AI significant-decisioning, Washington MHMDA consumer health data, EU AI Act Art.5 scope, mandatory cross-border pathway. Any number shown alongside the band is a presentational composition summary only — it is not the headline and not a regulatory determination.

Every finding is anchored

Nothing is asserted on a hunch. Each finding maps to a named regulator source and to a recognised control framework: the NIST Privacy Framework v1.1, ISO/IEC 27701:2025, and an ENISA-style assessment of likelihood × impact × sensitivity. Regulator citations, finding identifiers, dates and statutory instruments come from the published Regulator Reference — they are never invented. Where something can't be confirmed from the public surface, the scanner records it as not evaluated rather than guessing.

Findings catalogue

Each finding on your report carries a short code (for example M13). The code is a stable reference into this catalogue — not a score. Here is every code the scanner can return, in plain language, with the regulator source it maps to. Codes beginning F are high-severity, M medium, L low. A code only appears on your report when the scan actually observed that gap on your public surface.

High-severity findings (F)

F1Missing privacy noticeHigh
What it checks: No privacy notice linked from any inspected page/footer. · Regulator source: GDPR Art.13-14 · CCPA s.1798.130 · LGPD Art.9 · PIPL Art.17 · Australia APP5 · PDPA Notification (SG/MY/TH) · DPDPA s.5 · Quebec Law 25 · Washington MHMDA · nFADP Art.19 · PIPA Art.30 · UAE/NG/SA notice duties
F2Stale privacy notice (24+ months or repealed law)High
What it checks: Last-updated date >24 months, or references repealed legislation (DPA 1998, Privacy Shield, pre-Schrems-II SCCs). · Regulator source: ICO accountability principle · EDPB transparency guidelines
F3Trackers set before consentHigh
What it checks: Tracking cookies/pixels/fingerprinting fire in first 3s before any interaction. · Regulator source: CNIL SAN-2025-005 (SHEIN) · EDPB Guidelines 02/2023 · ePrivacy Art.5(3)
F4Implied-consent bannerHigh
What it checks: Banner uses 'by continuing you accept' or equivalent. · Regulator source: EDPB Guidelines 05/2020 · DSA Art.25(1)
F5Unequal Accept/Reject prominenceHigh
What it checks: Accept All visually dominant or Reject hidden behind intermediate menu. · Regulator source: CNIL SAN-2025-005 · EDPB Guidelines 03/2022
F6Trackers persist after Reject AllHigh
What it checks: Simulated Reject All; trackers continue to fire. · Regulator source: CNIL SAN-2025-005 · EDPB Guidelines 02/2023
F7Ad/marketing pixels fire without consentHigh
What it checks: Meta/Google/Bing/TikTok/LinkedIn pixels load before consent. · Regulator source: PECR Reg.6 (DUAA £17.5M/4%) · EDPB Guidelines 05/2020 & 02/2023
F8No DSAR mechanismHigh
What it checks: No rights-request page, portal, or designated contact for access requests. · Regulator source: GDPR Art.12-22 · CCPA s.1798.100 · LGPD Art.18 · DPDPA s.11-14 · PIPL Ch.IV · Australia APP12-13 · Thailand PDPA s.30-42
F9No appointed privacy officer (mandatory jurisdictions)High
What it checks: No DPO/SRI/CPO/Encarregado/Quebec officer publicly contactable where mandatory. · Regulator source: GDPR Art.37-39 · Malaysia PDPA s.12A · Thailand PDPA s.41 · LGPD Art.41 · Quebec Law 25 s.8 · PIPA Art.31 (KR) · Saudi PDPL DPO · UAE PDPL Art.10 · Nigeria NDPA DPO (major importance) · HIPAA §164.530(a)
F10GPC / universal opt-out ignored in mandating US stateHigh
What it checks: Browser sends GPC in a UOOM-mandating state; site does not honour. · Regulator source: CCPA regs §7025 · Healthline $1.55M (Jul 2025) · CA/CO/CT GPC sweep (Sep 2025) · California Opt Me Out Act (AB566)
F11ADMT for significant decisions without pre-use notice (California)High
What it checks: ADMT for significant decisions affecting CA residents; no pre-use notice. · Regulator source: CCPA regs §7200-7221 (ADMT obligations 1 Jan 2027)
F12Cross-border transfer without documented lawful basisHigh
What it checks: Transfers PI of CN/MY/BR/KR users abroad without the mandatory pathway/separate consent. · Regulator source: PIPL Art.38-39 · China CBDT Certification Measures (1 Jan 2026) · Malaysia CBPDT (29 Apr 2025) · Brazil ANPD Res.19/2024 · PIPA Art.28-8 (KR separate consent) · Saudi cross-border Regulation · UAE PDPL Art.22-23
F13EU AI Act Article 5 prohibited-practice patternHigh
What it checks: Public surface describes/deploys patterns suggestive of Art.5 prohibitions. · Regulator source: EU AI Act Art.5 · EC Guidelines on Prohibited AI (4 Feb 2025) · Art.99 sanctions (€35M/7%)
F14Mandatory breach notification process visibly absentHigh
What it checks: Mandatory-notification jurisdiction; no published notification commitment/contact. · Regulator source: GDPR Art.33 · Malaysia PDPA s.12B (72h) · Thailand PDPA s.37 · LGPD Art.48 & ANPD Res.15/2024 · PIPL Art.57 · Quebec Law 25 · nFADP Art.24 · PIPA 72h · Nigeria 72h · Saudi Implementing Regs Art.24 · UAE PDPL Art.9
F15Washington MHMDA: separate consumer health data policy missingHigh
What it checks: Processes WA consumer health data; no separate, prominently-linked health-data policy. · Regulator source: Washington MHMDA RCW 19.373.020 (PRA under WA CPA) · Nevada SB370 (no PRA)

Medium-severity findings (M)

M1Aging privacy notice (12-24 months)Medium
What it checks: Last-updated date 12-24 months. · Regulator source: ICO accountability principle · EDPB transparency guidelines
M2No cookie banner where non-exempt tracking detectedMedium
What it checks: Non-exempt tracking present but no cookie-banner DOM pattern. · Regulator source: ePrivacy Art.5(3) · EDPB 02/2023 · PECR (DUAA)
M3Processors not named or disclosedMedium
What it checks: Network-detected processors not named/categorised in the privacy notice (or no notice found). · Regulator source: GDPR Art.13(1)(e)
M4No privacy officer contact (general, non-mandatory)Medium
What it checks: No privacy contact where not strictly mandatory. · Regulator source: GDPR Art.37-39 (promotes to F9 where mandatory)
M5No Transparency Center / privacy hubMedium
What it checks: No dedicated privacy hub beyond a single policy page. · Regulator source: EDPB transparency guidelines
M6No DPIA/PIA referencedMedium
What it checks: No DPIA/PIA/processing-risk assessment referenced. · Regulator source: GDPR Art.35 · CCPA §7150 · PIPL Art.55-56 · LGPD Art.38 · nFADP Art.22 · Saudi risk assessment
M7Breach response timeline/contact missing (process exists)Medium
What it checks: Breach process exists but lacks timeline/contact. · Regulator source: Same as F14
M8No CCPA Do Not Sell or Share linkMedium
What it checks: No DNSMPI link present for CA-facing site. · Regulator source: CCPA s.1798.135 · CPRA
M9Cross-border transfer disclosures absent or staleMedium
What it checks: No/superseded international-transfer language (non-mandatory-pathway jurisdictions, incl. Switzerland adequacy list). · Regulator source: EDPB Recommendations 01/2020 · Swiss Federal Council adequacy list
M10No ROPA referencedMedium
What it checks: No record of processing activities referenced. · Regulator source: GDPR Art.30 · LGPD Art.37 · nFADP Art.12
M11No UK data protection complaints procedureMedium
What it checks: No complaints procedure (UK; high severity from 19 Jun 2026). · Regulator source: DUAA 2025
M12AI processing without disclosureMedium
What it checks: AI/ADMT detected by W2 but no policy disclosure. · Regulator source: PDPC AI Advisory (1 Mar 2024) · EU AI Act Art.50 · CCPA ADMT regs · Australia ADM transparency (11 Dec 2026) · PIPA Art.37-2 · nFADP Art.21
M13No GPC response disclosureMedium
What it checks: Privacy notice does not disclose GPC handling (or no notice found). · Regulator source: State UOOM mandates
M14Malaysia PDPA: DPO contact not publishedMedium
What it checks: Malaysia-facing; DPO contact not published. · Regulator source: Malaysia PDPA s.12A · Circular 2/2025
M15DPDPA notice format missing (Indian-targeted)Medium
What it checks: India-facing; DPDPA Rule 3 notice elements absent. · Regulator source: DPDPA 2023; DPDP Rules 2025 Rule 3
M16Australia ADM transparency not addressedMedium
What it checks: Australia-facing; ADM transparency not addressed. · Regulator source: Privacy and Other Legislation Amendment Act 2024 (11 Dec 2026)
M17Brazil LGPD: Encarregado contact not publishedMedium
What it checks: Brazil-facing; Encarregado/substitute contact not published. · Regulator source: LGPD Art.41 · ANPD Res.18/2024
M18Thailand PDPA: DPO not appointed/published (mandatory cases)Medium
What it checks: Thailand-facing mandatory case; DPO not published. · Regulator source: Thailand PDPA s.41 · Royal Gazette 9 Oct 2025
M19Brazil ECA Digital: minors' services without safeguardsMedium
What it checks: Brazil minors' service without required safeguards. · Regulator source: Law 15,211/2025 · ANPD Res.30/2025
M20EU AI Act Article 4 AI literacy indicators absentMedium
What it checks: No AI-literacy indicators where Art.4 applies. · Regulator source: EU AI Act Art.4 (in force 2 Feb 2025)
M21Quebec Law 25: privacy officer contact not publishedMedium
What it checks: Quebec-facing; privacy officer contact not on website. · Regulator source: Quebec Law 25 s.8-8.1
M22Colorado AI Act: consumer-facing AI disclosure absentMedium
What it checks: Colorado consumer-facing AI without disclosure. · Regulator source: Colorado AI Act SB24-205 (30 Jun 2026)
M23Non-cookie tracker fires before consentMedium
What it checks: Fingerprinting/tracking-link/local-processing Article 5(3) trackers fire pre-consent. · Regulator source: EDPB Guidelines 02/2023 · ePrivacy Art.5(3) · WP29 Opinion 9/2014
M24Switzerland nFADP: Swiss representative not publishedMedium
What it checks: CH nexus + foreign controller; no Swiss representative contact published. · Regulator source: nFADP Art.14
M25South Korea PIPA: CPO contact not publishedMedium
What it checks: KR nexus; no Chief Privacy Officer contact identifiable. · Regulator source: PIPA Art.31
M26South Korea PIPA: automated-decision rights not addressedMedium
What it checks: KR + automated decisioning; policy silent on refuse/explanation rights. · Regulator source: PIPA Art.37-2 (decree 15 Mar 2024)
M27UAE PDPL: DPO contact not published (interim)Medium
What it checks: Mainland-UAE nexus (not DIFC/ADGM) + DPO likely required; no DPO contact. · Regulator source: UAE Federal Decree-Law 45/2021 Art.10
M28Nigeria NDPA: DPO contact not published (major importance)Medium
What it checks: Nigeria nexus + 'major importance' signals; no DPO contact. · Regulator source: Nigeria Data Protection Act 2023 · NDPC GAID 2025
M29Saudi PDPL: DPO contact not publishedMedium
What it checks: Saudi nexus + DPO likely required; no DPO contact. · Regulator source: Saudi PDPL & Implementing Regulations (SDAIA)
M30Form collects personal data with no point-of-collection noticeMedium
What it checks: A contact/enquiry form collects personal data (email or phone + name/message) with no consent option or privacy notice in the form (the cookie banner does not satisfy this). Surface Agent fetches the page and Browser Agent renders it, so JS/SPA forms are caught. · Regulator source: GDPR Art.13 · PDPA Notification Obligation (SG) · CCPA notice-at-collection s.1798.100(b)
M31Live-chat / PII widget with no privacy noticeMedium
What it checks: A known live-chat / conversational widget (Intercom, Drift, Crisp, Zendesk, etc.) loads AND the site has no privacy notice — PII is collected in-conversation with no disclosure. Where a notice exists, surfaced as a verify-caution (report.chatWidgets) rather than a scored finding. · Regulator source: GDPR Art.13 · PDPA Notification Obligation (SG)

Low-severity findings (L)

L1No standalone cookie policy where promisedLow
What it checks: A separate cookie policy is explicitly referenced but none found. · Regulator source: EDPB transparency guidelines
L2Children's section without age-gating (non-child-directed)Low
What it checks: Children's content without age-gating on a non-child-directed site. · Regulator source: ICO AADC · FTC COPPA · PDPC Children's Guidelines · DPDPA Rule 10 · Brazil ECA Digital · Thailand PDPA s.20 · Quebec Law 25
L3Do Not Track explicitly ignoredLow
What it checks: DNT ignored (GPC not separately implicated). · Regulator source: CCPA regs (context)
L4Behavioural advertising without explicit consent disclosureLow
What it checks: Behavioural ads without explicit consent disclosure. · Regulator source: EDPB Guidelines 05/2020 · PECR Reg.6 · EDPB 1/2024

"What it checks" describes the public-surface signal, not internal detector logic. Commendable practices (codes beginning C) are recognised separately and never move the band.

Cross-border sites

When a site reaches users in more than one jurisdiction, each indicator is scored against the most stringent applicable regime. A clean result from one vantage is reported as "not observed from this vantage" — never as "compliant" — because the absence of a finding in one country is not evidence of compliance in another.

When a site limits access

Some sites rate-limit or block automated visitors. When that happens the scanner does not fail silently or invent results: it returns a preliminary, access-limited assessment with an explicit banner, reports only what it could directly observe, and withholds any finding that depends on having fully read the site. You always know what was — and wasn't — established.

Canonical reference documents

This page is the plain-language summary. The full, citable source documents are published openly: the complete methodology and the regulator reference — every regulator source, statutory instrument and enforcement decision behind the finding catalogue.

Scanner methodology (full) ↗ · Regulator reference ↗

Versioning

The current ratified methodology is Methodology v1.8 (with Regulator Reference v1.7). It incorporates the geo-vantage addendum governing multi-region scans — disclosing the vantage each result was observed from and the rule that absence ≠ compliance. The methodology is versioned and auditable, and findings are reproducible against the published rules.

Automated diagnostic on public information. An indicator, not legal advice, and not a determination of any breach. For material decisions, consult a qualified privacy professional. Methodology v1.8 · Regulator Reference v1.7 · Research preview.