Great, you have a CMP. Now let 40T verify what it can't see, won't report, and doesn't check.
Enter your URL and select which jurisdictions to check against.
This automated scan provides a preliminary assessment. Results should be verified by qualified professionals. This is not legal advice.
Three simple steps to compliance intelligence.
Every scan delivers actionable intelligence — not just a score.
Every point maps to a specific finding.
+ 14 more jurisdictions checked
Branded PDF · Evidence hash · Timestamped
Evidence-based cookie compliance intelligence built by security experts. Every score explainable. Every finding actionable.
The most advanced AI cookie scanning engine available. Automatically classify cookies, detect tracking scripts, and identify compliance gaps across 19 global jurisdictions.
Intelligent categorization of cookies: necessary, functional, analytics, and marketing—automatically.
Every point in your risk score maps to a specific finding. No black boxes — show auditors and legal teams exactly why a site scored the way it did.
Track how your compliance posture changes over time. Detect new trackers, removed consent mechanisms, or CMP misconfigurations before regulators do.
Compare scan-over-scan changes automatically. See exactly what changed between audits — new cookies added, consent banners removed, tracking scripts modified.
Unique detection of tracking that fires BEFORE user consent—a critical violation others miss.
Identify manipulative UI designs that trick users into accepting cookies.
Full detection of Google's required consent signals for EU/EEA advertising compliance.
AI agents call 40T before interacting with websites. Verify cookie compliance programmatically — the compliance layer for the agentic web.
Great, you have a CMP. It's doing its job. Now let 40T do ours — we verify what your CMP can't see, won't report, and doesn't check. Think of us as your independent compliance audit running 24/7. Works alongside Cookiebot, OneTrust, CookieYes, Termly, and any CMP.
Built by experienced cybersecurity specialists who have protected complex government and enterprise systems. 40T approaches compliance as a security control — not just a checkbox.
A single scan evaluates compliance across EU GDPR, UK GDPR, 11 US state laws, Canada, Brazil, Australia, South Africa, and Thailand. No per-jurisdiction pricing — full global coverage included.
Enterprise PDF reports with your branding. Share with legal teams, auditors, and stakeholders.
Scheduled re-scans detect when your cookie posture changes — new trackers, removed consent, or CMP misconfigurations. Get alerted before regulators find the problem.
No credit card required. No sales calls. Start scanning immediately with our free tier.
"40T found pre-consent tracking on our site that our CMP missed entirely. Three analytics services were firing before the consent banner even loaded."— Privacy team lead, E-commerce company
Comprehensive compliance analysis across major privacy regulations worldwide.
Every finding cites the specific regulation, article, and section it violates. Here's what we check.
Pre-consent tracking detection, banner presence, reject option visibility, and CMP configuration verification across opt-in and opt-out jurisdictions.
Google Consent Mode v2 signal validation, IAB TCF v2.2/v2.3 implementation detection, and vendor consent string verification.
"Do Not Sell/Share" link detection, Global Privacy Control (GPC) signal honoring, and state-specific requirements across 11 US jurisdictions.
39+ AI tracking service identification, session recording detection, cookie security flag auditing, and third-party data sharing analysis.
Full regulation citations (articles, sections, recitals) appear in every scan result and PDF report.
"We thought our Cookiebot setup was compliant. 40T showed us Google Consent Mode v2 wasn't actually firing correctly — a violation we'd never have caught on our own."— Compliance officer, SaaS company
Start free. Scale as you grow. No hidden fees.
The web is evolving from pages to callable services. 40T is building the compliance layer.
Google's WebMCP is turning websites into APIs for AI agents. Agents will book flights, file tickets, and add to carts — triggering cookies and tracking on every interaction. But most consent management platforms were built for human browsers with visual banners. They have no concept of AI agent consent.
Audit what happens when AI agents — not just humans — visit your site. Detect tracking that fires without visual consent prompts.
AI agents call 40T's API before interacting with a site to verify consent compliance — the compliance layer for the agentic web.
As sites expose structured tools via WebMCP, 40T will query consent APIs directly — moving from HTML scraping to structured compliance verification.
"We're not just auditing today's web. We're building the compliance layer for tomorrow's — where AI agents interact with millions of sites and every interaction needs verified consent."
— 40T Secure AI Vision
Interested in AI agent compliance for your organization?
REQUEST EARLY ACCESS →Enter your website URL, and our AI analyzes all cookies, tracking scripts, and consent mechanisms. You get instant results showing compliance status across 19 jurisdictions, risk scores, and actionable recommendations.
We cover 19 jurisdictions including: EU GDPR, UK GDPR, California CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, Utah UCPA, Oregon OCPA, Montana MCDPA, Delaware DPDPA, Iowa ICDPA, New Hampshire NHPA, Canada PIPEDA, Quebec Law 25, Brazil LGPD, Australia Privacy Act, UAE PDPL, and Saudi Arabia PDPL.
Your scan data is processed securely and never shared with third parties. We use TLS encryption in transit and encrypted storage at rest. SOC 2 Type II certification is on our roadmap.
Google Consent Mode v2 is required since March 2024 for websites using Google Ads or Analytics in the EU/EEA. Our scanner detects if you have it properly implemented with the required signals (ad_storage, analytics_storage, ad_user_data, ad_personalization).
We detect 39+ AI-powered services including: AI analytics (Amplitude, Mixpanel, Heap), AI chatbots (Intercom, Drift, Zendesk), session recording (Hotjar, FullStory), AI personalization (Dynamic Yield, Optimizely), and AI advertising platforms.
PDF reports are available starting from the Solo plan ($29/mo). You can also purchase a single audit report for $14 (coming soon). Free users get full on-screen compliance results.
The free plan includes 3 scans per month with coverage across all 19 jurisdictions. Need more? The Solo plan ($29/mo) gives you 30 scans plus PDF reports and scan history. Professional ($79/mo) gives unlimited scans with alerts and scheduled monitoring.
Yes! API access is included starting from the Professional plan ($79/mo) with 1,000 calls/month. Business ($149/mo) includes 10,000 calls/month. View API Documentation →
Your report includes: an overall risk score (0-100), jurisdiction-by-jurisdiction compliance status, detailed findings with severity levels (Critical, High, Medium), specific recommendations, and a complete cookie inventory. PDF reports can be shared with auditors and legal teams.
No. 40T Secure AI provides compliance intelligence and risk assessment based on technical analysis. It is not a substitute for qualified legal counsel. We recommend consulting with a privacy attorney for specific legal guidance.
Those are consent management platforms (CMPs) — they implement your cookie banner. 40T is an independent auditor that verifies your CMP is actually working correctly. Your CMP is the security guard; 40T is the inspector who checks if the guard is doing their job. We detect misconfigurations, pre-consent tracking, missing consent signals, and compliance gaps that your CMP can't self-report.
No — and we never will. 40T complements your existing CMP. We detect 9 major CMPs (Cookiebot, OneTrust, CookieYes, Termly, Usercentrics, Didomi, Sourcepoint, ConsentManager, TrustArc) and verify their implementation is correct. Keep your CMP for consent collection; use 40T for independent compliance validation.
Yes — and it's more affordable than you think. GDPR fines can reach €20M, CPRA fines $7,500 per violation, and Google now blocks ad revenue from non-compliant sites. Even a small Shopify store or WordPress blog with EU visitors needs proper consent. 40T's free tier lets you scan 3 times per month to see exactly where you stand — no credit card, no signup hassle. Most small businesses discover issues they didn't know existed.
Agencies love 40T because it gives you one dashboard to monitor compliance across all client domains. The Professional plan ($79/mo) covers up to 10 domains with scheduled monitoring, change detection, and alerts when something breaks. Business plan ($149/mo) scales to 25 domains with white-label PDF reports you can brand with your agency's logo and deliver directly to clients. No more manually checking each site — 40T flags the problems and you focus on fixing them.
Enterprise teams use 40T as an independent compliance verification layer alongside their existing CMP (OneTrust, TrustArc, etc.). Key enterprise capabilities include: unlimited domain monitoring, API integration into your CI/CD pipeline or GRC platform, scheduled daily scans with drift detection alerts, auditor-ready PDF reports for regulatory evidence, and Slack/webhook integrations for real-time compliance notifications. Contact us for custom SLA and SSO/SAML requirements.
CMPs report on what they control — the consent banner and cookie blocking they implement. But they can't detect issues outside their scope: third-party scripts that fire before consent, misconfigured Google Consent Mode signals, dark patterns in banner design, or tracking services your CMP doesn't know about. 40T scans your site the way a regulator would — from the outside — and reports what's actually happening, not just what's configured. That's why independent validation matters.
E-commerce sites are high-risk because they typically use payment processors, analytics, retargeting pixels, live chat, and session recording — all of which set cookies. Common issues 40T catches: Facebook/Meta pixels firing before consent, Google Analytics collecting data without proper Consent Mode v2 signals, Shopify apps injecting undisclosed trackers, and missing "Do Not Sell" links required by CPRA. One scan gives you the full picture.
Add your sites to the monitoring dashboard and set your preferred interval (hourly, daily, or weekly). 40T automatically re-scans each site on schedule, compares results against previous scans, and generates alerts when your compliance posture changes — for example, if a new tracker appears, your risk score increases, or a CMP configuration breaks. You see what changed, when it changed, and exactly what to fix. Available on Professional ($79/mo) and above.
IAB Europe's Transparency and Consent Framework (TCF) v2.3 becomes mandatory on February 28, 2026. Google will drop support for TCF v2.2, meaning sites still using v2.2 will default to Limited Ads — potentially cutting programmatic ad revenue by 50% or more. 40T detects which TCF version your site currently implements, identifies your CMP provider, and flags if migration to v2.3 is still needed.
As Google's WebMCP and similar technologies turn websites into callable services for AI agents, a new compliance challenge emerges. AI agents booking flights, filing forms, and making purchases trigger cookies and tracking — but they don't see consent banners. Your CMP was built for humans with browsers, not for autonomous AI agents. 40T is building agent-aware scanning to audit what happens when AI agents interact with your site, and a Pre-Action Compliance API so agents can verify consent before acting. This is the future of privacy compliance — and 40T is building it now.
AI agents call 40T's compliance check endpoint before interacting with any website. The API returns a risk score, CMP detection status, pre-consent tracking flags, and a safe-for-agent recommendation in under 200ms. Agents can verify compliance programmatically without human intervention. Available as a REST API and as an MCP (Model Context Protocol) server compatible with Claude, GPT, Gemini, and other AI platforms.
40T only reads publicly visible website data — cookies, consent banners, and tracking scripts. We never access user accounts, personal data, or private pages. Agent compliance checks use the same scan data as human scans. All data is encrypted in transit and at rest. 40T is built by cybersecurity professionals with government-grade security experience, including Top Secret clearance holders and certified CISM/CISA professionals.
Yes. Use 40T's batch compliance check to pre-screen a list of domains before your agents visit them. Set risk thresholds — for example, block agent interaction with any site scoring above 70. Integrate via our REST API or MCP server for real-time compliance gating in your agent workflows.
WebMCP (Web Model Context Protocol) is a W3C standard shipping in Google Chrome 146 that turns websites into callable APIs for AI agents. When agents interact with sites via WebMCP, they trigger cookies and tracking — but consent banners designed for human browsers don't appear for non-human visitors. This creates a compliance gap that no CMP currently addresses. 40T verifies compliance for both human and agent interactions.
Yes — they solve different problems. AI governance tools like Zenity manage what your agents can do (permissions, guardrails, security). 40T verifies what websites do to your agents — specifically whether sites set tracking cookies, fire pre-consent analytics, or use dark patterns during agent interactions. Think of it this way: governance controls your agent's behavior, 40T audits the websites your agent visits. The two are complementary.
Still have questions?
Contact SupportStart scanning for free. No credit card. No sales calls. Results in 5 seconds.
Get compliance insights delivered to your inbox