Coverage Across the Frameworks That Govern Modern Privacy & AI Compliance
New frameworks added continuously as regulators publish guidance. The complete, regularly-updated coverage matrix is available to customers in-product.
How It Works
Watch the pipeline run end-to-end. No agents to install. No data to upload. Just point it at a URL.
Read-only scan of observable behavior. Tracking activity, third-party calls, and consent signals β captured from any public URL.
Forensic-grade examination of every violation. Which regulations apply, how serious the exposure is, and exactly what to fix β supported by an immutable evidence chain your legal team can defend.
Defensible findings with cryptographic integrity, severity rankings, jurisdiction-specific citations, and remediation guidance.
What Defensible Compliance Actually Looks Like
From the EU GDPR to the EU AI Act, from CCPA to PIPEDA β 40T backs every finding with the specific statute and control that governs your business.
CMPs configure consent. 40T verifies it actually happens β auditing tracking scripts, pixel activity, and cross-jurisdiction behavior at runtime.
AI agents and automated services interact with sites at machine speed. 40T audits AI tracker activity and pre-consent behavior β the controls regulators are now codifying.
Early Access
The web is evolving from pages to callable services. 40T is building the compliance layer for every agent interaction.
Google's WebMCP is turning websites into APIs for AI agents. Agents will book flights, file tickets, and add to carts β triggering cookies and tracking on every interaction. Today's consent model was designed for human visitors β visual banners, click-to-accept β and it doesn't yet extend to interactions an agent drives instead of a person. Agent-level consent is an emerging gap across the whole ecosystem.
Audit what happens when AI agents β not just humans β visit your site. Detect tracking that fires without visual consent prompts, before any agent interaction is permitted.
A pre-action consent check for the agentic web: AI agents will be able to call 40T to verify compliance before acting on a site. In development.
As sites expose structured tools via WebMCP, 40T queries consent APIs directly β moving beyond HTML scraping to structured, verifiable compliance at the protocol level.
βWe're not just auditing today's web. We're building the compliance layer for tomorrow's β where AI agents interact with millions of sites and every interaction needs verified consent.β
Certified Security Professionals Behind Every Assessment
40T is built on decades of federal cybersecurity and AI security expertise β applying investigative precision used in critical infrastructure protection to privacy compliance.
Continuous monitoring across global jurisdictions. Always current. Always defensible.
Request a Live Investigation βDecision Reference Library
Every case below traces back to a specific control 40T monitors β each grounded in a decision regulators have already made. That gives you a proven benchmark for what good looks like, and the confidence that 40T is already checking for it on your site.
European Union & UK
Reject button required more steps than accept on google.fr and youtube.com. Cookie refusal made deliberately harder than acceptance. Pre-consent tracking before any user action.
Consent hidden inside Terms of Service. No genuine freedom of choice. No lawful basis for behavioral advertising across Facebook and Instagram.
EU user data transferred to US servers without valid legal mechanism. Standard Contractual Clauses not properly implemented. Largest GDPR fine ever issued.
Childrenβs accounts set to public by default. Dark patterns steered minors toward less private settings. Data processed without lawful basis.
Member data used for behavioral analysis and targeted advertising without valid consent, legitimate interest, or contractual necessity.
Gmail ads without consent. Dark patterns during account creation guided users toward advertising cookies. Third offense β recidivism multiplied the penalty.
United States
Facial recognition run on millions of photos without informed consent for over a decade. Largest privacy settlement ever obtained by a single US state.
Dark patterns tricked children and parents into unintended purchases. Privacy-invasive default settings collected childrenβs data without parental consent.
First CCPA enforcement action. Failed to disclose data sales, failed to honor opt-out requests, and failed to process Global Privacy Control signals.
Triple opt-out failure. Cookie consent banner appeared functional but did not disable tracking. GPC signals ignored. 118 third-party trackers continued firing after consumers used every available opt-out mechanism. Largest CCPA settlement to date.
Defensibility, operationalized for privacy and AI.
Where every decision becomes evidence β automatically, continuously, by design.
Every finding cites the specific statute, control, and jurisdiction that governs your site β from GDPR's behavioral consent rules to CCPA's opt-out signals to the EU AI Act's pre-deployment controls. Your legal team works from evidence, not opinions. Your engineering team works from data, not interpretations. Your board sees posture, not promises.