AI-Enhanced Compliance Report

https://hemnet.se · CMP: Unknown ⚠ AI analysis incomplete

1 FAIL · 3 PASS · 16 MANUAL

There’s more to GDPR compliance than cookies

This tool checks your site’s compliance with the ePrivacy Directive’s cookie consent requirements — but GDPR places many additional obligations on organisations that collect personal data. Lawful basis assessments, privacy notices, data subject rights procedures, and data processor agreements are just a few of the areas this tool cannot evaluate.

If you’d like a fuller picture of your compliance position, Waivern combines automated scanning tools like this one with experienced privacy and legal professionals who can assess your entire data protection programme. Our ongoing compliance support starts from just £200/month (ex. VAT) — straightforward, predictable pricing with no surprises.

Get in touch →

C3 analysis errors:

UX screenshot analysis: No screenshots available

AI Executive Summary

Overall Risk: MEDIUM

Hemnet.se shows a significant GDPR compliance gap with no accessible consent withdrawal mechanism identified after initial interaction. Users cannot easily revoke consent once given, violating the fundamental requirement that withdrawal must be as simple as providing consent. The Swedish DPA (IMY) has been particularly active in enforcement, including substantial fines for Google Analytics violations. Without evidence of alternative compliance models like consent-or-pay, this represents a material regulatory risk under Swedish transposition of EU privacy law.

Remediation Roadmap

Deploy persistent consent management widget accessible via footer or privacy settings link on all pages (medium) — Enables compliant consent withdrawal and reduces regulatory enforcement risk
Conduct comprehensive consent banner audit to identify any additional UX asymmetries or dark patterns (low) — Ensures full GDPR consent requirements compliance
Review US data transfer practices particularly Google Analytics usage given IMY's specific enforcement focus (medium) — Addresses Swedish DPA priority enforcement area with demonstrated fine risk

Detailed Findings

🤖 = AI-assessed · 👁 = Vision (screenshot) · HIGH MEDIUM LOW = risk level from legal analysis

B. Pre-Consent State 0 FAIL 0 PASS 4 MANUAL

B.2 No analytics/marketing cookies pre-consent

☐ MANUAL

Pre-consent state not captured.

B.3 JS tracker globals return undefined

☐ MANUAL

Pre-consent state not captured.

B.4 No tracking identifiers in web storage

☐ MANUAL

Pre-consent state not captured.

B.5 Non-essential scripts blocked in DOM

☐ MANUAL

Pre-consent state not captured.

C. Baseline Capture 0 FAIL 0 PASS 1 MANUAL

C.3 Full cookie inventory after Accept All

☐ MANUAL

Baseline state not captured.

D. Decline Non-Essential Consent 0 FAIL 1 PASS 0 MANUAL

D.4 Reject requires no more clicks than Accept (EDPB symmetry)

✓ PASS

Accept and Reject both require 1 click(s). Symmetric.

accept_clicks	reject_clicks	extra_clicks_to_reject	reject_required_manage_panel
1	1	0	False

E. Network Request Verification 0 FAIL 0 PASS 1 MANUAL

E.4 No tracking on subsequent pages after reject

☐ MANUAL

No subpages captured.

F. Cookie Verification 0 FAIL 0 PASS 2 MANUAL

F.2 document.cookie contains only essential cookies

☐ MANUAL

Post-reject state not captured.

F.3 No tracking in web storage post-reject

☐ MANUAL

Post-reject state not captured.

G. First-Party Cookie Classification 0 FAIL 1 PASS 1 MANUAL

G.2 🤖 AI Cookie policy cross-reference

✓ PASS

All observed cookies are classified as essential.

ai_evidence
No non-essential cookies observed.

G.3 Cookie policy cross-reference

☐ MANUAL

Cookie policy not found. Add /cookies or /privacy-policy to the site.

H. JS Global Object Verification 0 FAIL 0 PASS 1 MANUAL

H.1 Tracker globals undefined post-reject

☐ MANUAL

Post-reject state not captured.

I. DOM / Source Inspection 0 FAIL 0 PASS 1 MANUAL

I.1 DOM script inspection post-reject

☐ MANUAL

Post-reject state not captured.

K. Consent Mechanism UX Compliance 1 FAIL 1 PASS 3 MANUAL

K.1 Reject All at same prominence and level as Accept All

☐ MANUAL

Could not determine button prominence.

accept_visible_at_first_screen	reject_visible_at_first_screen	reject_requires_extra_layer	accept_button_text	reject_button_text
False	False	None	None	None

K.2 Non-essential categories default to OFF

☐ MANUAL

Could not open preferences panel to check toggles.

K.3 No dark patterns in consent banner (colour, visual hierarchy)

☐ MANUAL

DOM-level button detection completed. Full visual assessment of colour contrast, typography prominence, and deceptive visual hierarchy requires screenshot review. See screenshots in report.

K.5 MEDIUM Persistent consent withdrawal mechanism accessible after interaction

✗ FAIL

No persistent consent widget found. Users cannot easily withdraw consent.

Regulatory basis: GDPR Art. 7(3) · GDPR Art. 5(1)(a) · EDPB Guidelines 05/2020 §3.3
Precedent: IMY's 2023 enforcement actions resulted in SEK 12.3M in fines for Swedish companies, demonstrating active supervision of consent management practices.

Recommendation: Implement a persistent cookie preferences widget or clear link accessible from all pages allowing users to modify or withdraw consent with the same ease as initial provision.

K.6 Site fully accessible after declining consent (no cookie wall)

✓ PASS

Site content accessible after declining consent.

accessible
True

L. Consent State Persistence 0 FAIL 0 PASS 2 MANUAL

L.2 Consent choice respected on second tab

☐ MANUAL

Not captured.

L.3 Consent maintained on return visit

☐ MANUAL

Not captured.

🔒

There’s more to GDPR compliance than cookies

Get in touch →

Component 3 — AI analysis via claude-sonnet-4-20250514 · ← Home