Compliance questions, answered

Veracly is a website compliance monitoring service for small and medium businesses. It scans your site against the digital rules that apply to your visitors — accessibility (European Accessibility Act / BFSG, ADA, UK Equality Act, AODA), privacy (GDPR and the ePrivacy cookie rules), and EU AI Act Article 50 transparency — then gives you a plain-English, severity-ranked report with a copy-paste fix for each finding.

Veracly crawls your pages, runs the axe-core accessibility engine against the rendered DOM, and records every network request, cookie, and storage write that happens before a visitor interacts with your cookie banner. It then maps each finding to the jurisdictions that apply and scores each one. Every finding is reproducible by you in your own browser’s DevTools — the report shows you exactly how.

The free scan checks a single page and emails you a signed PDF in about five minutes — same engine, same scoring, same cryptographic signature as the paid tier. Paid plans add continuous multi-page monitoring, all jurisdictions in one report, scheduled re-scans, regression alerts, and a dated attestation history you can share.

No — and that is deliberate. Veracly is an independent monitoring and reporting service: it tells you precisely what to fix and how, but it does not sell the remediation. Compliance is achieved when your developer fixes the identified issues; no tool can make a website compliant on its own. Staying independent is what lets Veracly’s findings be credible to a regulator, auditor, or counsel.

No. A Veracly report is a technical compliance scan, generated by automated software. It is informational only — not legal advice, not a regulatory opinion, and not a § 317 HGB / ISA audit. It is designed to be handed to your legal counsel, who can act on the findings in your jurisdiction.

The European Accessibility Act — Directive (EU) 2019/882 — requires a wide range of digital products and services sold to EU consumers to be accessible. Each member state transposes it into national law; in Germany that is the Barrierefreiheitsstärkungsgesetz (BFSG). In practice, conformance is measured against EN 301 549, which points to WCAG 2.1 AA success criteria.

The EAA’s national rules apply from 28 June 2025. From that date, in-scope businesses selling to EU consumers are expected to meet the accessibility requirements. Some member states allow limited transition periods for existing service contracts, but new digital services are covered now.

It applies to businesses offering covered products and services to EU consumers — including e-commerce, banking, e-books, transport, and telecoms. There is a microenterprise relief for service providers with fewer than 10 staff and annual turnover or balance sheet at or below €2 million, but it is narrow and does not cover products. If you sell online to EU consumers, assume you are likely in scope and confirm with counsel.

WCAG (Web Content Accessibility Guidelines) is the W3C standard for accessible web content, organised into A, AA, and AAA levels. AA is the bar most laws point to. Veracly assesses your site against WCAG 2.2 AA — the current version — and also reports the legal-floor score (WCAG 2.1 AA for the EAA, ADA and UK Equality Act; WCAG 2.0 AA for AODA) so you can see both.

For most private businesses, US courts have applied the Americans with Disabilities Act (Title III) to websites through case law such as Robles v. Domino’s and Gil v. Winn-Dixie, generally measuring against WCAG 2.1 AA. For state and local government sites, the 2024 DOJ Title II rule sets WCAG 2.1 AA explicitly. If you have US visitors, the ADA is a real exposure.

The UK Equality Act 2010 (§20) places a duty on service providers to make reasonable adjustments so disabled people can use a service — which courts and the EHRC treat as including websites. WCAG 2.1 AA is the practical benchmark used to demonstrate those adjustments have been made.

The Accessibility for Ontarians with Disabilities Act (AODA) requires Ontario organisations to make their web content accessible. Its Integrated Accessibility Standards Regulation (O. Reg. 191/11, §14) references WCAG 2.0 AA as the legal floor. Veracly scores AODA against that 2.0 floor while also showing the broader 2.2 view for comparison.

Under the ePrivacy Directive (Art. 5(3)) and the GDPR, non-essential cookies and trackers — analytics, advertising pixels, and similar — may only be set after the visitor gives prior, informed, freely-given consent. Strictly necessary cookies are exempt. The most common failure Veracly detects is trackers that fire on page load, before any banner interaction.

§ 25 TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) is the German transposition of the ePrivacy Directive’s Art. 5(3). It requires consent before storing or reading information on a user’s device — i.e. before setting non-essential cookies or using local/session storage for tracking. Unlike the BFSG, it has no microenterprise exemption.

A pre-consent tracker is a cookie, storage entry, or third-party request that fires before the visitor accepts the cookie banner. Because consent must come first, these are among the clearest and most reproducible privacy issues — you can confirm them yourself in DevTools (e.g. F12 → Network, then reload and watch which requests fire before any click).

Regulators (including the EDPB and several national authorities) take the position that rejecting non-essential cookies must be as easy as accepting them — typically an equally prominent "Reject all" alongside "Accept all" on the first layer. A banner that only offers "Accept" or buries the reject option is a common, reproducible finding.

Article 50 of the EU AI Act sets transparency obligations: you must tell people when they are interacting with an AI system (such as a chatbot), and AI-generated or manipulated content (text, images, audio, video) must be marked as such. It is a transparency duty, separate from the Act’s high-risk AI rules.

The Article 50 transparency obligations apply EU-wide from 2 August 2026. If your site uses a chatbot or publishes AI-generated content for EU visitors, that is the date to be ready by.

Yes — under Article 50(1), when a visitor interacts with an AI system such as a chatbot or AI assistant, you must make it clear they are not talking to a human (unless it is obvious from the context). Veracly detects common chat/assistant widgets and checks whether a clear AI disclosure is present.

Veracly runs a transparency-readiness check for Article 50 — it flags an undisclosed chatbot or a missing AI-use notice so you can address them before the deadline. It is a readiness signal, not a determination that your site is "AI Act compliant", and it does not cover the Act’s high-risk AI governance requirements.

Every report is cryptographically signed (Ed25519) and anchored in Veracly’s audit ledger. The signature covers the exact PDF, so any tampering is detectable. The report carries a Verification ID and a verify URL so its provenance can be confirmed independently.

Yes. Anyone holding the PDF can visit the verify link and reconcile the signature against Veracly’s public key, published at veracly.app/.well-known/veracly-signing-key.json. Verification runs in their browser — no Veracly account and no Veracly server in the trust path — which is what makes it credible to a third party.

A free-scan report stays downloadable for 60 days, and its cryptographic verification record is kept for the same window; the report itself never expires once you have saved the PDF. Paid reports remain available for your account, and their audit-ledger anchors persist so the report stays independently verifiable over time.

Yes — that is what it is built for. Because the report is independently verifiable without trusting Veracly, you can hand it to counsel, an auditor, a regulator, or a buyer doing due diligence, and they can confirm it is genuine and unaltered. Paid sites can also share a live, dated attestation timeline.

A one-page scan is free. Paid plans are billed monthly per site and scale with how many pages and sites you monitor; current tiers and prices are on the pricing section of veracly.app. There is no charge to run the free scan and see a full signed report first.

Paid plans add continuous, scheduled monitoring across multiple pages; all five jurisdictions plus the EU AI Act check in a single report; regression alerts when a new issue appears; a dated, independently verifiable attestation history; and signed PDF reports you can share with counsel or buyers.

Veracly scans only what a normal visitor’s browser would load: public page content, the third-party requests your pages make, and the cookies and storage they write. It detects client-side tracking; server-side data flows (such as server-to-server pixel APIs) are out of scope and noted as such in the report.

Scan results and generated reports are kept only as long as needed for the service and then deleted on a fixed schedule — free-scan reports for 60 days, with longer windows for paid scan data and the audit-ledger anchors that keep reports verifiable. The full, current retention periods are published in Veracly’s privacy notice.

Veracly checks compliance but does not sell the fix — so its findings carry no conflict of interest. A tool that also sold you the remediation could not credibly certify it. That independence is what makes a Veracly report something you can put in front of a regulator, auditor, or buyer.