Detect Compliance Violations Before Regulators Do

The Cost of Non-Compliance: A GDPR Case Study
In June 2023, the French data protection authority - the Commission Nationale de l'Informatique et des Libertés (CNIL) - issued a landmark €40 million administrative fine against the global ad-tech firm Criteo. The enforcement action sent shockwaves through the consumer software and digital marketing industries, not merely due to the size of the financial penalty, but because of the systemic operational failures it exposed. The CNIL's investigation revealed that the company had failed to verify that its partner websites obtained valid consent from users before dropping tracking cookies, failed to honor users' requests for deletion under the General Data Protection Regulation (GDPR), and failed to enable individuals to easily withdraw their consent.
For years, many organizations operated under the assumption that compliance was a paper-based exercise - a set of static privacy policies and cookie banners that, once deployed, required little ongoing maintenance. The Criteo case shattered this illusion. The CNIL made it clear that companies cannot simply delegate compliance obligations to third parties or assume that their consent management platforms (CMPs) are functioning correctly in perpetuity. Under GDPR Article 26, which governs joint controllership, organizations are jointly responsible for ensuring that the entire data processing pipeline - from the initial user touchpoint on a public website to the downstream database deletion - adheres to the law.
The financial impact of such enforcement actions is only the tip of the iceberg. Beyond the immediate administrative fine, Criteo faced significant reputational damage, a sharp decline in investor confidence, and the immense operational cost of restructuring its tracking and consent verification systems under regulatory supervision. This case study underscores a critical reality for modern digital enterprises: compliance is not a static state achieved at launch. It is a dynamic, continuous engineering and operational requirement. The vulnerabilities that led to Criteo's penalty were not the result of malicious intent, but rather a lack of continuous visibility into how their tracking pixels and consent mechanisms behaved in the wild across thousands of partner URLs.
To avoid these catastrophic enforcement actions, organizations must move away from reactive compliance audits. They must establish a continuous, proactive feedback loop that detects compliance regressions before they attract the attention of regulators, privacy advocates, or class-action plaintiffs. Achieving this level of operational resilience requires a deep understanding of the core regulatory obligations that govern modern web applications.

Understanding GDPR and CCPA: Core Obligations
Navigating the global regulatory landscape requires a precise understanding of the specific statutory obligations imposed by different jurisdictions. For companies operating in Europe and the United States, the GDPR and the California Consumer Privacy Act (CCPA) - as amended by the California Privacy Rights Act (CPRA) - form the twin pillars of modern privacy enforcement. Each framework imposes strict, technically demanding requirements on how user data is collected, processed, and deleted.
Under the GDPR, consent is a primary lawful basis for processing personal data. Article 7(3) of the regulation explicitly states that "the data subject shall have the right to withdraw his or her consent at any time" and, crucially, that "it shall be as easy to withdraw as to give consent." This means that if a user can accept all tracking cookies with a single click on a banner, they must be able to reject or withdraw that consent with equal ease - without navigating through multi-layered menus or facing dark patterns. Furthermore, GDPR Article 17 outlines the Right to Erasure (the "right to be forgotten"), which mandates that organizations must delete a user's personal data without undue delay, and at the latest within 30 days of receiving a valid request, subject to limited exceptions.
"The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall be as easy to withdraw as to give consent." - GDPR Article 7(3)
In the United States, the CCPA establishes a different but equally stringent set of consumer rights. Rather than requiring opt-in consent for all tracking by default, the CCPA focuses on the right to opt-out of the sale or sharing of personal information. Under California Civil Code Section 1798.120, businesses must provide a clear and conspicuous link on their homepage titled "Do Not Sell or Share My Personal Information." This link must allow users to opt-out of downstream data transfers instantly. Additionally, the CCPA mandates that businesses honor Global Privacy Control (GPC) signals - universal browser-level opt-out mechanisms - automatically, treating them as valid opt-out requests. When a consumer submits a deletion request under the CCPA, the business has a strict 45-day window to comply, verify the deletion, and notify any service providers to do the same.
Beyond Europe and California, a fragmented patchwork of regulations has emerged. In the US, multi-state privacy frameworks (including laws in Virginia, Colorado, Connecticut, and Utah) require state-by-state opt-out checks and consumer appeal mechanisms. For organizations handling children's data, the Children's Online Privacy Protection Act (COPPA) in the US mandates strict age-gate validation, parental consent mechanisms, and minor-specific account creation flows. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation (CASL) require express consent for commercial electronic messages and functional unsubscribe mechanisms that must be honored within 10 business days. Similarly, the US CAN-SPAM Act mandates that transactional and marketing emails include a valid physical postal address and a functional, single-click unsubscribe link that remains active for at least 30 days post-send.
Meeting these diverse legal clocks requires absolute technical precision. A single broken link, an unparsed GPC signal, or a delayed Data Subject Access Request (DSAR) response can trigger statutory damages and regulatory audits. To maintain compliance, engineering and legal teams must understand the technical mechanisms used to detect these failures before they manifest as legal liabilities.

The Mechanisms of Compliance Detection
To systematically identify compliance gaps across public-facing web properties, organizations must deploy automated testing methodologies. Relying on manual code reviews or occasional point-in-time audits is insufficient in a world of continuous deployment and dynamic third-party tag injection. Modern compliance detection relies on two distinct testing paradigms: passive scanning and active behavioral testing.
Complyy operates as a continuous compliance observability platform that implements both methodologies without requiring any integration, SDK, or code changes. By executing tests against public URLs using a real, headless browser, the platform observes your website exactly as a user - or a regulatory auditor - would experience it. This external, zero-integration approach ensures that the testing environment remains completely independent of the production codebase, preventing "observer effects" where internal monitoring tools fail to capture real-world user experiences.
Passive tests run automatically on every scan. During a passive scan, a headless browser visits the target live site and performs a comprehensive analysis of the client-side state. The platform analyzes the HTML structure, parses the Document Object Model (DOM), inspects cookies, and monitors all outbound network requests. This allows the system to map the website's compliance posture across every applicable regulation. For example, passive scans evaluate the accessibility tree to verify WCAG 2.1 AA compliance - checking for missing image alt text, keyboard navigation traps, and color contrast regressions introduced during rapid frontend deployments. The passive engine also inspects the state of the consent banner, verifying that no third-party tracking pixels, analytics scripts, or tag managers fire before the user has actively interacted with the consent interface.