GDPR
Consent Mechanism
The website deploys Twitter/X Pixel (advertising tracker) and Google Tag Manager without presenting a cookie consent banner. Under GDPR, prior informed consent is required before placing non-essential cookies or tracking technologies on a user's device. The absence of any cookie banner means advertising and analytics trackers fire without user consent, which is a direct violation of Article 6(1)(a) GDPR and the ePrivacy Directive.
RecommendationImplement a GDPR-compliant cookie consent management platform (CMP) that blocks all non-essential cookies and trackers until the user provides explicit, affirmative consent. Ensure the banner provides granular options to accept or reject categories of cookies, and that consent is logged and revocable.
GDPR
Cookie Consent
Found 2 third-party tracker(s) (Twitter/X Pixel, Google Tag Manager) but no cookie consent mechanism. GDPR requires explicit opt-in consent before placing non-essential cookies.
RecommendationImplement a cookie consent banner that blocks non-essential cookies until the user provides explicit consent. Consider tools like CookieBot, OneTrust, or a custom implementation.
GDPR
Cross-Border Transfer
The privacy policy states 'Our Services are performed in the United States' and third-party trackers (Twitter/X, Google) transfer personal data to US-based servers. Since the EU-US Data Privacy Framework requires self-certification and Standard Contractual Clauses (SCCs) or other Article 46 safeguards must be in place, there is no evidence in the privacy policy of any lawful transfer mechanism for EU data subjects' personal data.
RecommendationDocument and disclose the legal mechanisms relied upon for international data transfers (e.g., EU-US Data Privacy Framework, SCCs, or binding corporate rules). Update the privacy policy to inform EU data subjects about the safeguards in place and provide links to relevant documentation.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right of access (GDPR Art. 15).
RecommendationInclude information about how data subjects can request access to their personal data.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right to erasure/deletion, which is required under GDPR Art. 17.
RecommendationAdd a section covering the right to erasure, including how users can request deletion of their data and the timeframe for processing such requests.
GDPR
Third-Party Data Sharing
Found 1 advertising tracker(s): Twitter/X Pixel. Each represents potential data sharing that requires explicit consent under GDPR and a valid legal basis.
RecommendationEnsure each advertising tracker has a clear legal basis (consent), is documented in your privacy policy, and is blocked until consent is given.
GDPR
Accountability
The privacy policy does not mention a Data Protection Officer. If required to appoint one under GDPR Art. 37, their contact details must be published.
RecommendationIf a DPO is required (large-scale processing, public authority, or special category data), add their contact information to the privacy policy.
CCPA
Consumer Rights
CCPA requires disclosure of the consumer's right to request deletion of personal information.
RecommendationAdd clear instructions for how consumers can request deletion of their personal information.
CCPA
Cookie Consent
CCPA/CPRA requires a "Do Not Sell or Share My Personal Information" option. 2 tracker(s) detected without any opt-out control.
RecommendationAdd a visible "Do Not Sell or Share My Personal Information" link and implement GPC (Global Privacy Control) signal detection.
CCPA
Do Not Sell/Share
The website deploys advertising trackers (Twitter/X Pixel) which likely constitute 'sharing' personal information for cross-context behavioral advertising under CCPA/CPRA. California law requires a conspicuous 'Do Not Sell or Share My Personal Information' link on the homepage. No such link was detected during the scan.
RecommendationAdd a clearly visible 'Do Not Sell or Share My Personal Information' link on the website footer or homepage. Implement a mechanism to honor opt-out requests, including support for the Global Privacy Control (GPC) signal as required by CPRA regulations.
CCPA
Opt-Out Rights
CCPA/CPRA requires clear disclosure of opt-out rights for sale/sharing of personal information.
RecommendationAdd an opt-out section to your privacy policy and implement a "Do Not Sell or Share My Personal Information" mechanism.
CPA
Cookie Consent
Colorado Privacy Act requires consumers to opt out of targeted advertising and data sales. Trackers detected without consent controls.
RecommendationImplement opt-out controls for data processing activities covered by CPA (Colorado).
CPA
Consent Mechanism
The Colorado Privacy Act requires controllers to honor universal opt-out mechanisms for targeted advertising and the sale of personal data. The website's use of advertising trackers without any detected opt-out mechanism or GPC signal support means Colorado residents cannot exercise their statutory rights through browser-based signals.
RecommendationImplement Global Privacy Control (GPC) signal detection and honor it as a valid opt-out request for both the sale of personal data and targeted advertising, as mandated by the CPA. Clearly disclose this functionality in the privacy policy.
CTDPA
Cookie Consent
Connecticut Data Privacy Act requires consumers to opt out of targeted advertising and data sales. Trackers detected without consent controls.
RecommendationImplement opt-out controls for data processing activities covered by CTDPA (Connecticut).
CTDPA
Consent for Sensitive Data
The Connecticut Data Privacy Act requires controllers to allow consumers to opt out of the processing of personal data for targeted advertising. Twitter/X advertising pixel is actively collecting data for ad targeting purposes, but no mechanism was found on the site allowing Connecticut residents to exercise their opt-out rights. CTDPA also requires recognition of universal opt-out mechanisms.
RecommendationProvide a clear opt-out mechanism for targeted advertising accessible to all users. Implement support for universal opt-out signals (e.g., Global Privacy Control) as required under CTDPA, and disclose this right prominently in the privacy policy.
TDPSA
Cookie Consent
Texas Data Privacy and Security Act requires consumers to opt out of targeted advertising and data sales. Trackers detected without consent controls.
RecommendationImplement opt-out controls for data processing activities covered by TDPSA (Texas).
TDPSA
Data Processing Agreement
The Texas Data Privacy and Security Act requires controllers to enter into data processing agreements with processors. The website uses Google Tag Manager and Twitter/X Pixel, but the privacy policy excerpt does not indicate whether appropriate data processing agreements are in place with these third parties, nor does it clearly delineate whether they act as processors or controllers.
RecommendationEnsure data processing agreements are executed with all third-party tracker providers. Update the privacy policy to describe the categories of third parties with whom data is shared and their roles (processor vs. controller) to meet TDPSA transparency requirements.
VCDPA
Cookie Consent
Virginia Consumer Data Protection Act requires consumers to opt out of targeted advertising and data sales. Trackers detected without consent controls.
RecommendationImplement opt-out controls for data processing activities covered by VCDPA (Virginia).
VCDPA
Privacy Policy Completeness
The Virginia Consumer Data Protection Act requires specific disclosures including the categories of personal data processed, purposes of processing, categories of third parties with whom data is shared, and a clear description of how consumers can exercise their rights (access, deletion, correction, opt-out). While a privacy policy exists, the scanned excerpt primarily contains navigation content and introductory language, raising concerns about whether all VCDPA-mandated disclosures are complete and accessible.
RecommendationAudit the full privacy policy to ensure it contains all VCDPA-required disclosures: categories of personal data processed, processing purposes, third-party sharing categories, consumer rights (access, correction, deletion, opt-out of targeted advertising/sale/profiling), and the appeal process for denied requests.
TIPA
Children's Privacy
The Tennessee Information Protection Act, alongside federal COPPA requirements, requires heightened protections when processing data of minors. The website collects data via forms and deploys advertising trackers but has no visible age verification, age-gating mechanism, or specific children's privacy disclosures. If any users under 13 (or under 18 for certain TIPA provisions) access the site, their data may be collected without appropriate parental consent or safeguards.
RecommendationAdd age-gating mechanisms or clear disclaimers that the services are not directed at children under 13 (or the applicable age threshold). Include a specific children's privacy section in the privacy policy. Ensure advertising trackers do not collect data from known minors and implement processes to delete such data if inadvertently collected.