Website Trust Check: Free GDPR & Security Scan in 60 Seconds

You have a website. Maybe self-built, maybe by a designer. You know there are rules around privacy, cookies, and security. But does your website actually comply?

Most business owners only find out something is wrong when it's too late. A warning from the Autoriteit Persoonsgegevens. A visitor complaining about an insecure connection. A claim for an image used without licence. Or simply customers dropping off because the site doesn't look trustworthy.

A free website scan shows where you stand in 60 seconds. This article explains what a scan checks, how it works, and what to do with the results.

Why checking your website matters

Three reasons regular checks aren't a luxury but a necessity.

Fines and enforcement

GDPR applies to every website that processes personal data. A contact form, Google Analytics, a newsletter field: it all counts. The Autoriteit Persoonsgegevens does not differentiate by company size. In 2025 the AP warned more than 200 Dutch websites, including sole proprietors and small webshops.

GDPR fines can reach 20 million euros or 4 percent of annual turnover. In practice the AP starts with a warning, but the warning comes with a deadline. Those who don't act on time face a formal investigation.

Since 28 June 2025 the European Accessibility Act (Directive 2019/882) also applies. Webshops and digital service providers must make their sites accessible to people with disabilities. The ACM enforces it in the Netherlands.

Reputation damage

A browser showing "Not secure" on your site. A cookie banner that doesn't work. A missing privacy policy. These are signals visitors pick up, consciously or not. Research shows 84 percent of online shoppers abandon a purchase if the connection is insecure.

Your competitor whose site has the lock icon, a professional cookie banner, and proper legal pages? They earn more trust. Trust you might be losing without knowing.

Lower Google ranking

Google uses HTTPS, load speed, and user experience as ranking factors. Websites with security or accessibility issues rank lower in search results. A scan surfaces exactly those issues that undermine your position.

What a website scan checks

A thorough scan goes beyond "is there a lock icon". The TrustYourWebsite scanner checks 150+ points across seven areas.

1. GDPR compliance

The scan checks whether your site meets privacy law:

• Is there a privacy policy present and accessible?
• Does it contain the required elements (contact details, processing purposes, retention periods, data subject rights)?
• Is personal data transmitted over HTTPS?
• Are forms linked to the privacy policy?
• Is data sent outside the EU without a valid legal basis?

More on GDPR obligations in the GDPR compliance checklist.

2. Cookies and tracking

This is where most sites fail. The scan detects:

• Which cookies your site sets (first-party and third-party)
• Whether tracking cookies load before the visitor consents
• Whether your cookie banner meets requirements (equal choice, no pre-ticked boxes)
• Whether Google Analytics, Facebook Pixel, or other trackers are active
• Whether external sources like Google Fonts transmit visitor IP addresses

More on cookie banners in our article on when a cookie banner is mandatory. You can also check your cookies directly with the cookie checker.

3. Security

The scan checks technical security at multiple levels:

• SSL certificate: active, valid, correctly configured?
• Security headers: Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, and more
• Mixed content: are unencrypted resources loaded on an HTTPS page?
• Outdated software: visible version numbers of CMS, frameworks, libraries
• Open ports and known vulnerabilities

For concrete steps you can take yourself, see the GDPR Article 32 security checklist or the practical SME security checklist.

4. Accessibility

From June 2025 the European Accessibility Act applies. The scan checks the most common issues:

• Missing alt text on images
• Insufficient colour contrast between text and background
• Forms without labels
• Pages not navigable by keyboard
• Missing language attributes and ARIA labels

More on the European Accessibility Act.

5. Image rights

Images on your website can become an expensive problem if you have no valid licence. The scan checks:

• EXIF and image metadata
• Known stock-photo watermarks
• Images from services where claims often originate

More on what to do when you receive a copyright claim letter.

6. Legal pages

Dutch websites have several required elements. The scan checks:

• Is there a privacy policy?
• Is there a cookie policy?
• Are your KVK number and business details displayed?
• Are terms and conditions present (for webshops)?
• Are outdated legal links present (e.g. the discontinued ODR platform)?

7. E-commerce compliance

If you sell online, extra rules apply. The scan checks:

• Is the order process clear (prices inclusive of VAT, shipping costs, delivery times)?
• Is the 14-day right of withdrawal stated?
• Is the return policy described?
• Is the payment process secure?
• Does the order button meet EU law ("order with payment obligation")?

How the scan works

The TrustYourWebsite scanner is fully automated. No software to install, no account, no technical knowledge required.

Step 1: Enter the URL

Go to trustyourwebsite.com/scan and enter your URL, e.g. yourbusiness.com.

Step 2: Start the scan

Click "Scan". The scanner opens your website in a sandboxed browser and automatically checks 150+ points. Takes about 60 seconds.

The scanner respects your site: maximum 1 request per second, no modifications, robots.txt is honoured.

Step 3: View the results

Right after the scan you see a risk score from 0 to 100. Higher is better. You also see a list of issues found, classified by severity:

• Critical (-15 points): immediate risks requiring urgent action
• High (-10 points): serious issues to address quickly
• Medium (-5 points): improvement points worth attention
• Low (-2 points): small notes

No account required. No commitment. Results within a minute.

Free scan vs. paid scan

The free scan checks the same 150+ technical points as the paid version. The difference is the depth of the report.

Free scan

• Risk score (0-100)
• Overview of issues per category
• Severity classification (critical, high, medium, low)
• Issue counts per area

That's enough to know where you stand and whether there are urgent problems.

Paid scan

Everything in the free scan, plus:

• Screenshots of each issue
• Specific fix instructions per issue
• Technical details (which header is missing, which cookie causes the problem)
• Exportable PDF report you can share with your developer

If you're technically inclined and just want to know whether there are problems, the free scan is enough. If you need a concrete action plan, or want to forward the report to your designer, the paid scan is the better choice.

The 5 most common issues

After thousands of scans we keep seeing the same problems. The top five.

1. Cookies without consent

The most common issue: tracking cookies set before the visitor consents. Google Analytics, Facebook Pixel, HubSpot, Hotjar: they often load on the first visit. That's a direct GDPR violation.

The fix: make sure your cookie banner blocks all non-functional scripts until the visitor actively consents. Block in advance, not remove afterwards.

2. Missing security headers

Most sites lack essential security headers like Content-Security-Policy, X-Content-Type-Options, and Strict-Transport-Security. Your host doesn't set them by default. Your designer doesn't think of them. But without these headers, your site is more vulnerable to attacks.

The fix: add the headers via server configuration, an .htaccess file, or a plugin. Check which you're missing with our security headers checker.

3. Missing or incomplete privacy policy

A missing privacy policy is an obvious violation. Just as often we find incomplete privacy policies: no retention periods, no mention of data subject rights, outdated contact details, or a generic text that doesn't match what the website actually does.

The fix: write a privacy policy that fits your situation. State what data you collect, why, how long you keep it, and what rights visitors have. See what a privacy policy must contain.

4. Mixed content

You have an SSL certificate, but your site loads images, scripts, or stylesheets over HTTP. Browsers block these resources or show a warning. The result: broken images, missing functionality, and a site that, despite the lock icon, is not fully secure.

The fix: find http:// references in your source code and database and replace with https://. In WordPress you can do this with the "Better Search Replace" plugin.

5. Missing alt text on images

Alt text describes what's in an image. Screen readers read this to blind and low-vision visitors. Without alt text, your images are invisible to them. It's not just an accessibility problem; it also hurts SEO, Google uses alt text to understand images.

The fix: add a descriptive alt text to every image. Not "IMG_2847.jpg", but a short description of what's shown.

What to do after the scan

You've run the scan and see a list of issues. Where to start?

Prioritise by severity

Tackle critical and high issues first. These are the points that directly expose you to fines, security risk, or customer loss. Medium and low issues are important but less urgent.

A practical order:

1. SSL and HTTPS: if you don't have a valid SSL certificate, fix that first. Everything else depends on it.
2. Cookies and tracking: block tracking cookies until consent. The AP is actively enforcing this.
3. Privacy policy: make sure it's there and accurate. An afternoon's work.
4. Security headers: add the missing headers. Half an hour if you know what you're doing.
5. Accessibility: start with the biggest issues (contrast, alt text, form labels).

Self-fix vs. expert

Most issues from a website scan you can fix yourself. Activating SSL, setting up a cookie banner, writing a privacy policy, adding security headers: concrete tasks with clear instructions.

When you do need an expert:

• Complex security issues: if the scan finds vulnerabilities in your server or application configuration
• Big accessibility overhaul: if your site fundamentally isn't accessible (no semantic HTML, no keyboard navigation)
• Custom code: if you have a hand-built site without a CMS and you don't know how to adjust server settings
• E-commerce compliance: if your order flow doesn't comply and your shop runs on a complex platform

In all other cases: start yourself. Our topic-specific guides have step-by-step instructions that require no technical background.

Share the report with your developer

Do you have a developer who manages your site? Forward the scan report. A paid scan contains technical details and fix instructions a developer can pick up directly. That saves back-and-forth and prevents misunderstandings.

When to repeat the scan

A one-off scan is a good start, but not an endpoint. Your site changes continuously: new pages, updated plugins, modified forms, added tracking scripts. Every change can introduce new problems.

Re-scan after:

• Every plugin or theme update: updates can reset settings or introduce new cookies
• A new form or contact page: any form processing personal data must comply with GDPR
• A new tool or service: Mailchimp, HubSpot, Calendly, Google Maps, all load external scripts that may set cookies
• A CMS update: large WordPress, Shopify, or Joomla updates can change security settings
• Every quarter: even if nothing has changed. Security vulnerabilities are discovered daily and SSL certificates can expire

Make it a habit. Pick a recurring slot, like you do for bookkeeping.

Scan your website now

Checking your website takes 60 seconds. No account, no software, no technical knowledge required. Enter your URL, click scan, and you know where you stand.

Scan your website free and immediately see which issues exist. You get a risk score and an overview of all findings. Concrete, jargon-free, with clear priorities.