What regulations does Regulatory Signals cover?

Regulatory Signals continuously monitors GDPR, CCPA/CPRA, the EU AI Act, ePrivacy/cookies rules, and a growing catalog of global privacy and AI obligations. New regulations are added as they are enacted.

How often does Regulatory Signals re-scan my site?

Continuous monitoring runs on a configurable cadence — typically daily for Professional and Enterprise plans, and weekly for Starter. Ad-hoc re-scans can be triggered at any time from the dashboard.

Is my scan data encrypted?

Yes. Data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Scan artifacts are stored with per-tenant isolation and role-based access controls.

Does Regulatory Signals provide legal advice?

No. Regulatory Signals provides automated compliance monitoring, detection, and evidence. Output is intended to assist qualified privacy, security, and legal professionals. It is not a substitute for legal advice.

Can I export compliance evidence for auditors?

Yes. All scans generate an exportable audit trail including timestamped findings, raw evidence, and remediation status — suitable for internal audits, DPIAs, and external assessments.

How does the EU AI Act readiness check work?

The free AI Act check classifies your system into prohibited, high-risk, limited-risk, or minimal-risk categories using Article 6/Annex III criteria, then surfaces the specific obligations that apply.

Do you offer a free trial or free scan?

Yes. You can run a free compliance scan on the homepage and use the AI Act readiness tool at no cost. Paid plans add continuous monitoring, alerting, and evidence export.

5 GDPR Tracker Myths That Get Websites Fined

Google Analytics is not automatically compliant. Consent banners are not a shield. Here are five widely-believed myths about trackers, cookies, and GDPR that are costing businesses real money.

The fines keep coming. In 2025, EU data protection authorities issued over €1.8 billion in GDPR penalties — a record. A disproportionate share involved trackers, cookies, and analytics tools that operators believed were compliant. They were not.

Here are five myths that keep appearing in enforcement decisions.

Myth 1: "A cookie banner makes us compliant"

A cookie banner is a mechanism for collecting consent. It does not guarantee consent is valid. Regulators look at how consent is obtained:

Was the "accept all" option visually prominent and the "reject" option hidden or harder to reach? Dark pattern — consent invalid.
Did the banner fire analytics or advertising trackers before the user clicked accept? Pre-ticking — consent invalid.
Did the user have a way to withdraw consent as easily as they gave it? If not — consent invalid.

The CNIL (France), the DPA (Germany), and noyb have each brought successful complaints on exactly these points. A banner is necessary but not sufficient.

Myth 2: "We use server-side tagging so no trackers appear in the browser"

Server-side tagging moves the data collection to your server before forwarding it to analytics or ad platforms. Some businesses assume this hides them from regulators.

It does not. The GDPR applies to the processing of personal data, not to where the JavaScript runs. If you are passing IP addresses, user IDs, or behavioural data to a third party like Google or Meta — even via your own server relay — the same lawful basis requirements apply.

Myth 3: "Google Analytics is fine because everyone uses it"

This has been tested in courts repeatedly. The Austrian DSB, French CNIL, and Italian Garante all ruled that standard Google Analytics configurations transfer personal data to the US in violation of GDPR Chapter V (international transfers), because US surveillance law gives US authorities access to that data.

Google Analytics 4 with IP anonymisation and server-side proxying can be configured in a compliant way. Default installations — which represent the vast majority of deployments — are not automatically compliant simply because Google is a large company.

Myth 4: "Legitimate interests covers our analytics"

Article 6(1)(f) — legitimate interests — is a real lawful basis. But the European Data Protection Board is explicit: using it for third-party advertising trackers is generally not appropriate, because the legitimate interests of those third parties are unlikely to override the individual's rights and reasonable expectations.

For first-party analytics that are strictly necessary for service improvement, legitimate interests may apply — but you need a documented balancing test, not just a checkbox in your privacy policy.

Myth 5: "We only need to worry if we have EU users"

The GDPR's territorial scope (Article 3) covers processing related to the offering of goods or services to EU data subjects, or the monitoring of their behaviour in the EU. You do not need an EU office, an EU server, or an EU customer base of any minimum size.

If your website is accessible in the EU, contains a language option for German, French, or any other EU language, or has prices in euros — regulators will consider you to be "offering services" in the EU. The location of your company is not a shield.

What to actually do

Scan your site for trackers before they scan it for you. Know what's firing, not just what you intentionally installed.
Check your consent mechanism against the EDPB's guidelines on consent (05/2020). Reject paths must be as easy as accept paths.
Audit international transfers — every tracker that phones home to a US-based service is a potential transfer. Document your transfer mechanisms (SCCs, etc.).
Document your lawful bases per purpose, not per tool.

The fines in 2026 are larger than they were in 2022. The appetite for enforcement is not declining.