AI Privacy Scanner
Identifies GDPR and CCPA AI compliance gaps your privacy policy may not cover: cookies dropped by AI tools without consent, personal data sent to AI APIs without disclosure, and privacy policies written before AI became part of your stack.
Why AI Privacy Compliance Is a Separate Problem From General GDPR
Most website privacy policies were written before AI tools became standard. They cover contact forms and analytics — not the chatbot API sending conversation data to a US server, or the recommendation engine building behavioral profiles. GDPR doesn't care when the policy was written; it cares what's actually happening.
Every time a user interacts with an AI feature on your website, personal data is likely being processed — often by a third-party provider. Under GDPR, you are the data controller for that processing. That means you need a lawful basis, a disclosure in your privacy policy, a Data Processing Agreement with the AI vendor, and safeguards for any cross-border transfer.
The AI Privacy Scanner checks what is actually happening on your site — not what your privacy policy says. It detects cookies set by AI tools before consent is given, identifies third-party AI scripts making data calls, and checks whether your privacy policy covers the AI processing that is actually occurring.
What We Detect
- AI-related cookies deployed without consent — violates ePrivacy Directive and GDPR requirements for prior informed consent
- User data sent to third-party AI APIs without disclosure — a common GDPR gap as teams add ChatGPT, Claude, or similar tools to their stack
- Privacy policy doesn't mention AI data processing — regulators expect explicit disclosure of how AI systems handle personal data
- International data transfers to AI providers without adequate safeguards — GDPR Articles 44–49 apply to every API call that crosses borders
- AI systems collecting data beyond what users were told — scope creep that creates CCPA and GDPR exposure
How the AI Privacy Scanner Works
Scan for AI-related cookies and scripts
The scanner loads each page in a clean browser session and detects all cookies and third-party scripts — identifying which ones are connected to AI tools and whether they fire before consent is obtained.
Check privacy policy coverage
Your privacy policy is checked for mentions of AI data processing, third-party AI vendors, international data transfers, and automated decision-making. Gaps are flagged with specific missing elements.
Identify data transfer risks
Any AI API call that sends personal data outside the EU is flagged as a potential GDPR Chapter V issue. The scanner notes which providers are involved and whether standard transfer safeguards are documented.
Report with remediation steps
Findings are mapped to specific GDPR articles and CCPA provisions, with instructions for fixing each gap — from updating your privacy policy to implementing cookie consent correctly.
Recent AI Privacy Enforcement Actions
| Company / Date | Regulator | Action | Year |
|---|---|---|---|
| French CNIL | €150 million fine for making cookie rejection harder than acceptance | 2022 | |
| Meta | Irish DPC | €1.2 billion fine for unlawful EU-US data transfers | 2023 |
| Clearview AI | Italian Garante | €20 million fine for unlawful processing of biometric data | 2022 |
| Amazon | Luxembourg DPA | €746 million fine for GDPR advertising data violations | 2021 |
Legal Basis
- GDPR (Regulation 2016/679) — Articles 6 & 7: Lawfulness of processing and conditions for consent
- GDPR — Articles 44-49: Transfers of personal data to third countries or international organisations
- GDPR — Article 35: Data protection impact assessment for high-risk processing
- ePrivacy Directive (2002/58/EC) — Article 5(3): Cookie consent requirements
- CCPA/CPRA (California Civil Code §1798.100-199.100) — Consumer right to know about data collection and sharing
Potential Consequences
GDPR privacy violations can result in fines up to €20 million or 4% of global annual turnover, whichever is higher. Under CCPA, intentional violations may incur penalties of $7,500 per violation. The ePrivacy Directive violations related to cookies can also lead to significant national-level fines. Multiple regulators have specifically targeted AI-related privacy violations in recent enforcement actions. See our GDPR AI compliance checklist for a full breakdown.
Frequently Asked Questions
Does GDPR apply to AI tools I use internally?
If the internal AI tool processes any personal data from users — including conversation logs, behavioral data, or identifiers — GDPR applies. The fact that users don't directly interact with the tool doesn't remove the obligation.
Do I need a Data Processing Agreement with my AI vendor?
Yes. GDPR Article 28 requires a DPA with every third-party service that processes personal data on your behalf. This includes OpenAI, Anthropic, Google AI, and any other AI API that receives user data from your website. Most major providers offer a standard DPA.
What is a CCPA AI compliance requirement?
Under CCPA, you must disclose in your privacy policy all categories of personal data collected, including data collected by AI systems, and the purposes for which it is used. California users have the right to opt out of the sale or sharing of their personal data with AI vendors.
My chatbot only answers FAQs. Does GDPR still apply?
If the chatbot logs conversations, collects names or email addresses, or uses session data — yes. Even a FAQ bot that records which questions users ask is processing personal data under GDPR.
Protect your users' privacy and your business
Get your compliance report in 60 seconds. No signup required.
SiteProof AI is an automated analysis tool. Results are informational and do NOT constitute legal advice. Consult a qualified legal professional for compliance decisions.