Free website compliance scan: what to look for (and what to ignore)

Search for “free website compliance scan” and you will find a hundred tools. Some are useful diagnostic instruments. Many are lead-generation funnels for consulting firms or overlay vendors, designed to produce alarming reports that drive sales calls. This article is the buyer’s guide.

What a useful free scan should do

A scan that earns the user’s trust does five things:

1. Tests against named criteria. WCAG 2.1 AA success criteria, GDPR article references, ePrivacy rules. Not vague labels like “risk score.”
2. Captures network traffic on first load. The single most useful GDPR-cookie test only works if the scanner waits no more than a second before snapshotting cookies and requests.
3. Differentiates severity. A missing form label is a high-severity accessibility issue with legal exposure. A missing alt="" on a decorative image is a warning, not a violation. Tools that lump them together produce useless “500 violations” reports.
4. Provides specific remediation. The exact element selector and the code change needed. Not “Improve color contrast.”
5. Says what it can’t check. No automated tool catches all WCAG issues; honest scanners say so. Tools that claim 100% coverage are misleading.

Red flags in free scans

“Your site is X% non-compliant.” A single percentage hides severity differentials. A site with 5 warnings can score lower than one with 1 critical error.

“Your site is at risk of a $75,000 lawsuit.” Threat language designed to drive sales. Real audits cite specific exposure based on jurisdiction-specific fine schedules.

“We can fix all your accessibility issues automatically.” The accessibility-overlay claim. The FTC has fined for this; do not engage.

No mention of WCAG criteria. If the scan does not name 1.4.3 Contrast (Minimum) when it flags a contrast issue, the report cannot be acted on.

No mention of jurisdiction. “You have GDPR violations” is useless if you have no EU visitors and unhelpful if you do not know which articles apply.

How to read the results

Treat any free scan as a triage signal, not a verdict. The questions that matter:

• What are the high-severity issues? Form labels, focus traps, missing alt on meaningful images, contrast on body text, pixels firing pre-consent. Fix these first.
• What does my cookie inventory look like? Compare to your published cookie policy. Mismatches are the fastest way to fail a regulator audit.
• Are required legal pages present and reachable? Privacy policy, cookie policy, accessibility statement, imprint (DACH).
• Is the issue list specific enough to action? If your developer cannot fix the issue from the report, the scan was a marketing exercise.

What to do with the report

One workflow that consistently produces results for SMBs:

1. Run the scan, export the issue list.
2. Triage: high-severity legal-exposure issues first, then medium, then warnings.
3. File one ticket per issue with the specific selector and the developer fix from the report. Do not file “fix all accessibility issues.” That ticket will sit forever.
4. Re-scan after each fix. The diff confirms the issue is resolved and catches any regressions introduced.
5. Set up a recurring scan cadence. Weekly is the realistic SMB default; daily is valuable for sites with active marketing experimentation.

Veracly’s free scan

Veracly’s free scan tests against WCAG 2.1 AA via axe-core, captures cookies and network requests on first load, fingerprints third-party trackers, verifies presence of required legal pages, and produces a multi-jurisdiction report (EAA, GDPR, ADA, UK Equality Act, AODA). Each issue cites the specific WCAG criterion or regulation article and includes a copy-paste developer fix. We are explicit about what the scan cannot detect — manual screen-reader and cognitive-load testing are not automatable. Run a scan.

See also: What is a website compliance audit? · WCAG 2.1 AA accessibility audit explained