I Audited 10 Popular Websites for Privacy Compliance - Here's What I Found
Using TrustScan's Website Privacy Audit tool, I scanned popular websites across 6 compliance checks. The results reveal a consistent pattern: strong security headers on developer platforms, near-universal cookie consent failures, and zero AI disclosure across the board.
GDPR has been enforceable since 2018. Cookie consent has been legally required for years. Yet when you actually scan popular websites, a surprising number are still failing basic compliance checks - including platforms that serve millions of EU users daily.
I built TrustScan's Website Privacy Audit to make it easy to check any website across 6 key areas. Each check contributes to a Trust Score out of 100. Here is what happened when I ran it against 9 real websites - plus my own portfolio.
The 6 checks: HTTPS (20pts), Security Headers (20pts), Cookie Consent (20pts), Privacy Policy (20pts), Third-Party Trackers (10pts), AI Disclosure (10pts). Warnings give half points. Fails give zero.
Results at a Glance
| Website | Score | ||||||
|---|---|---|---|---|---|---|---|
Amazon amazon.com | 90 | ✓ | ✓ | ✓ | ✓ | ⚠ | ⚠ |
Figma figma.com | 95 | ✓ | ✓ | ✓ | ✓ | ✓ | ⚠ |
Notion notion.so | 85 | ✓ | ⚠ | ✓ | ✓ | ✓ | ⚠ |
GitHub github.com | 75 | ✓ | ✓ | ✗ | ✓ | ✓ | ⚠ |
Medium medium.com | 75 | ✓ | ✓ | ✗ | ✓ | ✓ | ⚠ |
Vercel vercel.com | 75 | ✓ | ✓ | ✗ | ✓ | ✓ | ⚠ |
Reddit reddit.com | 55 | ✓ | ✓ | ✗ | ✗ | ✓ | ⚠ |
Substack substack.com | 45 | ✓ | ⚠ | ✗ | ✗ | ✓ | ⚠ |
A developer portfolio (hafizkh.dev) hafizkh.dev | 40 | ✓ | ⚠ | ✗ | ✗ | ⚠ | ⚠ |
Detailed Results
Amazon
HTTPS enabled
All 4 security headers present
Cookie consent mechanism detected
Privacy policy link detected
Google Analytics detected
No AI disclosure found
Amazon performs well across the board. The deductions come from Google Analytics usage and no AI disclosure - notable given Alexa and their AI-powered shopping recommendations are core product features.
Figma
HTTPS enabled
All 4 security headers present
Cookie consent mechanism detected
Privacy policy link detected
No common trackers detected
No AI disclosure found
Figma is the top scorer at 95 - the only platform to pass all checks except AI disclosure. Strong security headers, clean tracker hygiene, and a proper consent flow. The AI disclosure gap is the only thing stopping a perfect score, despite Figma AI being a prominent feature.
Notion
HTTPS enabled
2/4 headers present. Missing: X-Frame-Options, X-Content-Type-Options
Cookie consent mechanism detected
Privacy policy link detected
No common trackers detected
No AI disclosure found
Notion scores well with clean tracker hygiene and a proper consent mechanism. Missing security headers and no AI disclosure are notable gaps for a product that now has significant AI features built in.
GitHub
HTTPS enabled
All 4 security headers present
No cookie consent detected in page HTML
Privacy policy link detected
No common trackers detected
No AI disclosure found
GitHub scores lower than expected for a developer platform. All 4 security headers are present, but cookie consent fails - surprising for a Microsoft-owned platform serving millions of EU developers. No AI disclosure despite Copilot being deeply integrated into the product.
Medium
HTTPS enabled
All 4 security headers present
No cookie consent detected in page HTML
Privacy policy link detected
No common trackers detected
No AI disclosure found
Medium scores 75 with strong security headers but a clear cookie consent failure. For a platform that hosts millions of articles and handles paid subscriptions with EU customers, missing consent for cookies is a meaningful GDPR exposure.
Vercel
HTTPS enabled
All 4 security headers present
No cookie consent detected in page HTML
Privacy policy link detected
No common trackers detected
No AI disclosure found
Vercel, the platform developers trust to deploy their apps, scores 75. Strong security headers as expected from an infrastructure company. But cookie consent fails and there is no AI disclosure despite their v0 AI product. A case of the cobbler's children having no shoes.
HTTPS enabled
All 4 security headers present
No cookie consent detected in page HTML
No privacy policy link found
No common trackers detected
No AI disclosure found
Reddit drops to 55 with two clear fails: cookie consent and privacy policy both missing from the scanned page. Given that Reddit has sold user data to Google and OpenAI for AI training, the absence of AI disclosure is arguably the most significant compliance gap here.
Substack
HTTPS enabled
Headers partially present
No cookie consent detected in page HTML
No privacy policy link found
No common trackers detected
No AI disclosure found
Substack is the lowest scorer among non-portfolio sites at 45. Weak security headers, no cookie consent detected, and no privacy policy link found are all significant issues for a platform hosting paid newsletters with EU subscribers. This result is likely to raise eyebrows.
A developer portfolio (hafizkh.dev)
HTTPS enabled
1/4 headers present. Missing: X-Frame-Options, X-Content-Type-Options, CSP
No cookie consent detected in page HTML
No privacy policy link found
Google Analytics, Google Tag Manager detected
No AI disclosure found
I included my own portfolio to show that even developers who build privacy tools can fail. Running GA4 and GTM without a cookie consent banner, no privacy policy, and weak security headers. I am fixing this. Lesson: audit your own sites too.
Key Findings
HTTPS is universal
All 9 sites scored a full pass on HTTPS. This baseline is now table stakes.
Cookie consent is broken
7 out of 9 sites failed or warned on cookie consent. Most have a banner but either load scripts before consent or use dynamic JS that our static scanner cannot detect.
AI disclosure is failing everywhere
Every single site scored a warning on AI disclosure. With the EU AI Act now in enforcement, this is the fastest-growing compliance gap across the web.
Developer platforms lead on security headers
Figma, GitHub, Vercel, and Medium all scored full marks on security headers. Consumer-facing platforms like Substack fell short.
Figma is the clear winner
95/100 with clean trackers, full headers, proper consent, and a privacy policy. Only AI disclosure prevents a perfect score.
What Should You Do?
If you run a website, the most common and fixable issues from this audit are:
- 1
Fix your cookie consent flow
Analytics scripts must not load until the user accepts. Use Consent Mode v2 for GA4 or switch to a privacy-friendly alternative like Plausible that requires no consent banner.
- 2
Add security headers
HSTS, CSP, X-Frame-Options, and X-Content-Type-Options can be added via a single config file on Netlify or Vercel. Takes 5 minutes.
- 3
Add AI disclosure
If your product uses AI, disclose it. A line in your privacy policy and a footer note is enough to move from warning to pass on this check.
- 4
Audit your own site now
Use TrustScan's free Website Privacy Audit. It takes 10 seconds and shows you exactly what to fix.
Audit Your Website Now
Free, no account required. Get your Trust Score in under 10 seconds.
Run Website Privacy Audit →