CXCOMPLY
Website Security & GDPR Compliance Report
acme-retail.example
D
7 findings · 2 critical · 2 high
Scanned: 12 June 2026, 09:30 UTC
Report ID: sample-0000-demo
IMPORTANT NOTICE
This report is generated by automated scanning of publicly available
website information, combined with AI-powered analysis (Claude, Anthropic).
CXComply is not a law firm, regulator, or certified auditor. This report
does not constitute legal advice. Findings represent probable risks
identified through automated checks against UK GDPR, ICO guidance, OWASP
standards, and PECR. We recommend discussing significant findings with your
data protection officer or legal advisor. All evidence was obtained from
publicly accessible sources. No protected systems were accessed.
Executive Summary
Two critical consent failures affect every visitor to this site: tracking scripts load before the cookie banner is answered, and they keep running even after a visitor clicks “Reject all”. Combined with a missing HSTS header and a monitor-only DMARC policy, the site's overall posture is below the standard expected for an online retailer handling customer data. Every issue in this report has a concrete fix, most within hours.
What Your Website Does Well
✅ TLS certificate is valid, issued by Let's Encrypt and renews automatically
✅ TLS 1.3 supported with strong cipher suites; legacy SSL/TLS versions disabled
✅ SPF record present with a hard fail (-all) qualifier
✅ A privacy policy is published and reachable from every page footer
✅ Organisation found on the ICO register of data protection fee payers
Priority Action Plan
Fix these in order. The most impactful improvements come first.
| # | Priority | Issue | Est. Time | Est. Cost |
|---|
| 1 |
critical |
Google Tag Manager and Meta Pixel load before any consent |
2-4 hours |
£150-£400 |
| 2 |
critical |
Trackers keep loading after the visitor clicks “Reject all” |
2-6 hours |
£200-£500 |
| 3 |
high |
No HSTS header — connections can be downgraded to HTTP |
30 minutes |
£0 |
| 4 |
high |
DMARC policy is p=none — spoofed email is not blocked |
1 hour + monitoring period |
£0 |
| 5 |
medium |
Server header discloses nginx 1.18.0 (end-of-life) |
1-2 hours |
£100-£250 |
| 6 |
medium |
No Content-Security-Policy header |
4-8 hours |
£300-£600 |
| 7 |
low |
No security.txt — researchers have no way to report vulnerabilities |
15 minutes |
£0 |
Detailed Findings
What This Means For Your Business
When a visitor first lands on the site, Google Tag Manager and the Meta (Facebook) Pixel are loaded and set tracking cookies before the cookie banner has been answered. Non-essential cookies require prior consent, so this is a probable PECR Regulation 6 risk affecting every visitor.
Legal Reference
PECR Reg. 6; UK GDPR Art. 7 (conditions for consent)
ICO Enforcement Precedent: In 2024-25 the ICO wrote to the UK's top 1,000 websites over non-compliant cookie banners and has named advertising cookies set without consent as an enforcement priority. Since the DUAA 2026, the maximum PECR penalty is £17.5M or 4% of turnover.
Evidence
Before consent: _ga, _gid, _fbp cookies set; gtm.js and fbevents.js requested on first paint.
How To Fix This
Configure your consent management platform to block GTM and the Meta Pixel until the visitor clicks accept. In GTM, set built-in Consent Mode to 'denied' by default.
⏱ 2-4 hours
💷 £150-£400
👤 developer
What This Means For Your Business
We clicked the banner's reject option in a real browser and verified the network traffic afterwards: the Meta Pixel continued to fire and analytics cookies remained active. A reject choice that is not honoured is treated by regulators as having no consent mechanism at all.
Legal Reference
PECR Reg. 6; UK GDPR Art. 7(3) (withdrawal of consent)
ICO Enforcement Precedent: The ICO's 2025 cookie-banner sweep specifically tested whether 'reject' stops non-essential processing; sites that ignored the choice received enforcement letters first.
Evidence
After clicking 'Reject all': fbevents.js requested; _fbp cookie still set.
How To Fix This
Wire the CMP's reject event to actually unload or never load tracking tags. Test with the browser network panel: after reject, no requests to googletagmanager.com, facebook.net or analytics endpoints should appear.
⏱ 2-6 hours
💷 £200-£500
👤 developer
What This Means For Your Business
The site never sends Strict-Transport-Security, so a network attacker can force a visitor's browser onto unencrypted HTTP and intercept session cookies or form data (an SSL-stripping attack). This affects checkout and login pages.
Legal Reference
UK GDPR Art. 32 (security of processing)
ICO Enforcement Precedent: ICO penalty notices for security failures regularly cite missing transport-layer protections as evidence of inadequate technical measures.
Evidence
GET https://acme-retail.example/ -> 200 OK; Strict-Transport-Security: (absent)
How To Fix This
Send the Strict-Transport-Security header on every HTTPS response.
⏱ 30 minutes
💷 £0
👤 self
📄 Ready-to-deploy configuration file
# Apache (.htaccess or vhost):
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>
What This Means For Your Business
A DMARC record exists but its policy is 'none', which only monitors and never blocks. Criminals can send invoices or password-reset emails that appear to come from your exact domain, and receiving servers will deliver them.
Legal Reference
UK GDPR Art. 32; NCSC email security guidance
ICO Enforcement Precedent: Phishing from spoofed domains is a recurring root cause in ICO breach reports; 'monitor-only' DMARC is consistently flagged in post-incident reviews.
Evidence
_dmarc.acme-retail.example TXT "v=DMARC1; p=none; rua=mailto:dmarc@acme-retail.example"
How To Fix This
Move to p=quarantine after reviewing DMARC aggregate reports for legitimate senders, then to p=reject. Most organisations complete this in 2-4 weeks.
⏱ 1 hour + monitoring period
💷 £0
👤 self
What This Means For Your Business
Every response announces 'Server: nginx/1.18.0'. That version reached end-of-life in 2021 and no longer receives security patches; advertising it gives attackers a ready-made list of known exploits to try.
Legal Reference
UK GDPR Art. 32 (state of the art)
ICO Enforcement Precedent: Running unsupported software was a central finding in several ICO penalties, including cases where the breach exploited known, patchable vulnerabilities.
Evidence
Server: nginx/1.18.0 (EOL April 2021)
How To Fix This
Upgrade nginx to a supported release and set 'server_tokens off;' so the version is no longer disclosed.
⏱ 1-2 hours
💷 £100-£250
👤 developer
What This Means For Your Business
Without a CSP, any script injected into the page (via a compromised third-party tag or XSS flaw) runs with full access — including card skimmers of the kind used in Magecart attacks on retail checkouts.
Legal Reference
UK GDPR Art. 32
ICO Enforcement Precedent: The ICO's largest e-commerce penalties involved injected payment-page skimmers that a restrictive CSP would have blocked or flagged.
Evidence
Content-Security-Policy: (absent on all sampled pages)
How To Fix This
Deploy a Content-Security-Policy in report-only mode first, review the violation reports for a week, then enforce.
⏱ 4-8 hours
💷 £300-£600
👤 developer
What This Means For Your Business
There is no /.well-known/security.txt file, so a researcher who finds a vulnerability has no sanctioned contact route. Sites without one are more likely to hear about flaws from the public internet than from a private disclosure.
Legal Reference
RFC 9116; NCSC vulnerability disclosure toolkit
Evidence
GET /.well-known/security.txt -> 404
How To Fix This
Publish /.well-known/security.txt with a Contact: line and an Expires: date within 12 months.
⏱ 15 minutes
💷 £0
👤 self
GDPR Compliance Checklist
| Requirement | Reference | Status |
|---|
| Privacy notice present and accessible | Articles 13/14 | PASS |
| Appropriate technical security measures | Article 32 | PARTIAL |
| Email communications security | Article 32 | FAIL |
| Cookie consent compliance | PECR Reg. 6 | FAIL |
| ICO registration valid | DPA 2018 s.17 | PASS |
| Lawful basis stated in privacy policy | Article 13(1)(c) | PARTIAL |
| Data controller identified | Article 13(1)(a) | PASS |
| Data subject rights described | Article 13(2)(b-d) | PASS |
📋 How This Report Can Help You
If the ICO investigates your organisation, this CXComply report
demonstrates that you took proactive steps to identify and address
data protection risks. Under the ICO's settlement procedure (introduced
2026), organisations that demonstrate early awareness and remediation
efforts may qualify for reduced penalties of up to 40%.
Keep this report as part of your compliance documentation. If you
address the findings listed above, re-scan your website to generate
an updated report showing your improved compliance posture.