# Lokker — Full Context Reference

> Lokker is a privacy intelligence platform built to analyze how websites collect, transmit,
> and expose user data at the network and request layer. Rather than relying on documentation,
> vendor disclosures, or static tag audits, Lokker directly observes real network activity to
> determine what data is collected, where it is sent, which technologies introduce it, and
> whether user consent signals are honored. Lokker provides continuous risk scoring,
> real-time browser-side enforcement, automated consent validation, structured training, and
> evidence-grade reports for privacy, legal, insurance, and security teams.

For the concise curated link index of all Lokker pages, see: https://lokker.com/llms.txt

## Platform overview

Lokker is a privacy intelligence platform that continuously monitors how digital properties
behave in practice — not how their documentation claims they behave. Modern websites rely on
dozens or hundreds of third-party technologies: analytics, advertising pixels, session replay
tools, chat systems, A/B testing platforms, video players, and tag managers. These
technologies introduce chains of outbound data flows that are difficult to audit from
documentation alone.

Lokker addresses this by automating simulated user browsing sessions and capturing every
network request those sessions generate. From that raw network telemetry, the platform builds
a detailed map of data flows, identifies the technologies and vendors involved, evaluates
consent behavior, and surfaces findings that match documented regulatory and litigation
patterns.

The platform is designed for continuous, not point-in-time, operation. Scan data is retained
indefinitely so privacy, legal, and security teams can answer historical questions — which
technologies ran on a given date, how consent behavior changed after a deployment, and
whether remediation actually worked.

## Why Lokker exists

Privacy challenges for organizations are significant and growing. Several compounding problems
create risk for enterprises, legal teams, insurers, and the individuals whose data is involved:

- **Fragmented legal landscape.** Privacy laws differ by state and country. California has an
  opt-in default while most US states are opt-out. GDPR governs European residents. HIPAA
  creates specific obligations for healthcare properties. VPPA creates exposure for sites with
  video content and advertising. Legislation is expanding. Organizations need continuous
  monitoring that translates legal complexity into concrete, prioritized action.

- **Consent operations in disarray.** Many consent managers are misconfigured, absent, or set
  and forgotten. There is often no clear owner across engineering, marketing, and legal. Tags
  deploy to production without review. Consent banners display correctly but fail to block
  scripts. The gap between what a banner implies and what data actually flows is the most
  common source of privacy litigation exposure.

- **Invisible third-party activity.** Organizations frequently do not know which vendors
  receive user data, what identifiers are transmitted in network payloads, or whether consent
  choices change tracking behavior at all. Static analysis and vendor documentation do not
  answer these questions reliably.

- **Portfolio complexity.** Large organizations own many digital properties. Maintaining
  consistent privacy posture across dozens or hundreds of sites is an operational challenge
  that requires automation and continuous monitoring.

- **Active enforcement and litigation.** Plaintiffs and regulators actively pursue cases.
  Organizations need both proactive posture improvement and reactive support when incidents
  or claims arise.

## Products

All Lokker products are Generally Available. The platform overview is at
https://lokker.com/products.

### Privacy Edge

Privacy Edge (https://lokker.com/products/privacy-edge) is the core intelligence and discovery platform.
It performs continuous automated scans that replicate real user browsing sessions while
capturing all network activity: requests, cookies, local storage, query parameters, request
payloads, and initiator chains.

**Risk scoring.** Each site receives a risk score from 0 to 1000 and a letter grade.
Scores are derived across seven risk categories:
- Cookies — cookie behavior and consent compliance
- Form Data — data captured from user input
- Session Replay — recording technologies and their scope
- Trackers — third-party tracking presence and behavior
- Consent — CMP presence, functionality, and GPC handling
- Geo — geographic data exposure
- Perimeter — outbound data flows and vendor footprint

**Reason codes.** Every finding is assigned a reason code that identifies the specific
technical behavior observed, maps it to the applicable privacy laws (HIPAA, VPPA, CCPA,
CPRA, GDPR), and classifies it by severity (Critical, High, Medium, Low). Critical findings
appear as a prominent alert banner and match documented litigation or regulatory patterns.

**Remediation.** Every reason code includes step-by-step remediation guidance so engineering
and privacy teams can resolve findings without ambiguity.

**Reports.** Privacy Edge produces evidence-grade outputs including:
- Risk & Remediation PDF: portfolio summary, per-site findings, and remediation steps
- GPC Compliance PDF: Global Privacy Control response analysis
- Payload Explorer Excel: raw network payload data for forensic review
- Digital Objects Excel: full technology and vendor inventory

**Data retention.** All scan data is retained indefinitely. This supports forensic and
litigation use cases where historical evidence of site behavior on a specific date is needed.

**Network visualizations.** Privacy Edge includes two visualization modes:
- Constellation View: interactive 3D graph of request flows and vendor relationships
- Waterfall View: hierarchical tree of initiator chains across a page load

**Portfolio scale.** Privacy Edge is designed for portfolios ranging from a single site to
hundreds of thousands of sites. It supports benchmarking against the S&P 500.

**Guardian integration.** Domains and vendors identified in Privacy Edge can be marked
Trusted or Blocked. Those rules are then enforced in real time by Guardian.

**Alert delivery.** Daily or weekly email digests surface new findings. No immediate push
alerts are generated; digest cadence keeps teams focused without alert fatigue.

### Guardian

Guardian (https://lokker.com/products/guardian) is the real-time enforcement layer. It is deployed as a
single JavaScript snippet placed on any web property. Once deployed, Guardian intercepts
every outbound script load, pixel fire, fetch request, and XMLHttpRequest before it leaves
the browser.

**How enforcement works.** Guardian evaluates each outbound request against trust rules
defined in Privacy Edge. If the destination vendor or script is marked Trusted, the request
proceeds. If it is marked Blocked or Unknown with a restrictive policy, Guardian prevents the
request before data is transmitted. This enforcement happens at the browser level, so it
applies regardless of tag manager configuration or consent platform state.

**Payload awareness.** Guardian can inspect request payloads to detect transmission of PII
or health data, and can apply more restrictive policies when sensitive data is involved.

**Audit trail.** Every allow and block decision is logged, creating a continuous audit trail
of what ran and what was stopped on each page load.

**CMP coexistence.** Guardian is designed to complement, not replace, consent management
platforms. It provides an additional enforcement layer that operates even when CMP
configuration fails or scripts load outside the CMP lifecycle.

**Edge deployment.** Guardian enforcement logic is sub-millisecond and does not introduce
perceptible latency. Rules are served from the edge.

### Consent Validator

Consent Validator (https://lokker.com/products/consent-validator) is the automated consent testing
product. It systematically tests a site across four consent states:
- No interaction (default page load before any consent choice)
- Accept (user accepts all tracking)
- Reject (user rejects optional tracking)
- GPC (Global Privacy Control signal sent)

For each state, Consent Validator captures the full set of technologies and network requests
that fire. Comparing across states reveals whether the consent configuration actually changes
tracking behavior — not just whether the banner displays correctly.

Findings are prioritized P1, P2, and P3 by remediation urgency. Output is delivered as Excel
and PDF reports. Primary users include privacy and compliance teams, legal counsel, and
agencies auditing client properties.

### Privacy Academy

Privacy Academy (https://lokker.com/products/privacy-academy) provides structured web privacy training
from beginner to expert. The curriculum covers how the web works at a privacy level, consent
mechanics, tracking technologies, privacy regulations, CMP configuration and validation, the
ad tech data ecosystem, browser fingerprinting, HIPAA on the web, Privacy by Design, tag
management governance, and privacy risk assessment methodology.

Programs are available self-paced for individual learners or as structured team programs.
The public training tracks are accessible at /training. Privacy Academy is used by privacy
and compliance teams, legal and defense counsel, marketing and digital teams, engineering and
product, insurance underwriters, and program leaders.

### Partner API

The Partner API (https://lokker.com/products/partner-api) is a developer-facing integration layer that
exposes Lokker intelligence programmatically. Primary use cases include:
- Portfolio onboarding: submit lists of domains for automated scanning at scale
- Scan orchestration: trigger scans and receive completion notifications via webhook
- Score retrieval: pull per-site risk scores and grade data for downstream reporting
- Reason code access: retrieve structured findings with law mapping and remediation steps
- Remediation data: export structured finding data into risk management workflows
- Underwriting automation: integrate scan completion and score delivery into insurance workflows

The Partner API is Generally Available and is primarily used by insurance underwriters, risk
platforms, and enterprise teams with large portfolios.

### Privacy Extension

The Privacy Extension (https://lokker.com/products/privacy-extension) is a browser extension that
enables on-demand privacy analysis of any web page directly in the browser. It surfaces
tracking technologies, network requests, and consent behavior without requiring a full
platform scan.

## Services

Lokker offers expert professional services alongside its product suite (https://lokker.com/services).

### Consent Tag Orchestration

Consent Tag Orchestration (https://lokker.com/services/consent-tag-orchestration) is a managed service
for organizations that need hands-on help with CMP configuration, consent banner implementation,
tag governance, and enforcement at scale. This service is suited to organizations with complex
site portfolios, CMPs that are misconfigured, or teams that lack the internal expertise to
implement and maintain consent controls that actually stop data collection when visitors
opt out.

## Solutions

Lokker's solutions pages (https://lokker.com/solutions) describe how the platform is applied to specific
use cases and industries. Each solution maps product capabilities to a concrete business need.

### Litigation & discovery

Network-layer evidence for defense counsel: document what third-party scripts ran and how consent behaved, validate whether remediation changed the behavior, and monitor continuously so the next incident does not come as a surprise.

Page: https://lokker.com/solutions/litigation-discovery

### M&A due diligence

Assess privacy posture of target properties at scale with risk scores, reason codes, and evidence for deal teams.

Page: https://lokker.com/solutions/ma-due-diligence

### Board & risk reporting

Portfolio-level risk, trends, and benchmarks with executive-ready views and remediation status.

Page: https://lokker.com/solutions/board-risk-reporting

### Portfolio monitoring

Ongoing visibility across many sites with automation, cadence, and integration into underwriting or ops tools.

Page: https://lokker.com/solutions/portfolio-monitoring

### Healthcare

Protect patient data on the web. Get HIPAA-aware visibility into trackers and pixels, evidence for audits and incidents, and real-time control so PHI stays private.

Page: https://lokker.com/solutions/healthcare

### Consent Audit & Validation

Test whether your consent banner, CMP configuration, and GPC handling actually stop data collection when visitors opt out, not just whether they display correctly. Get documented evidence of what fires in every consent state.

Page: https://lokker.com/solutions/consent-audit

### Third-Party Script Governance

Every approved tag is an outbound integration that bypasses your firewall. Map your full third-party script inventory, detect shadow IT tags deployed outside review, and enforce trust rules so unauthorized scripts cannot send data from the browser.

Page: https://lokker.com/solutions/third-party-script-governance

## Who Lokker serves

Lokker's audience pages (https://lokker.com/who-we-help) describe the specific teams and roles that
use the platform and how their needs are addressed.

### Privacy Teams

Lokker gives privacy teams a continuous, evidence-based view of what is running on the site, whether consent choices are respected, and what to fix first.

Page: https://lokker.com/who-we-help/privacy-teams

### Legal & Compliance

Defense counsel and law firms use Lokker to document what actually ran on a client's site, validate whether consent controls worked, and confirm that remediation fixed the problem. The engagement model starts with a point-in-time scan and can extend to repeated rescans after fixes and ongoing monitoring to protect against the next incident.

Page: https://lokker.com/who-we-help/legal-compliance

### Insurance & Risk

Underwriters and risk teams use Lokker to quantify website privacy risk, score domains at scale, and support underwriting and portfolio monitoring.

Page: https://lokker.com/who-we-help/insurance

### Agencies

Agencies managing multiple client properties use Lokker to monitor website privacy posture, deliver evidence-ready reporting, and scale privacy services.

Page: https://lokker.com/who-we-help/agencies

### IT & Security Leaders

Web privacy is the client-side blind spot in most security programs. While firewalls guard the backend, marketing tags and third-party scripts ship data directly from the browser to ad networks, analytics vendors, and enrichment services without passing any perimeter control. Lokker gives security and IT leaders network-layer visibility into what leaves the browser, what consent controls actually enforce, and what outbound data flows need governance.

Page: https://lokker.com/who-we-help/it-security-leader

## Training curriculum

The Lokker Privacy Academy training curriculum (https://lokker.com/training) is organized into tracks
that progress from foundational to expert. All public tracks are described below.

### Web Privacy Foundations (Beginner — 6h)

Start here. Learn how the web works, why privacy matters, and what consent really means. No prior technical knowledge required.

Audience: Privacy newcomers and non-technical stakeholders; Marketing, product, and legal teams building baseline literacy

Outcomes:
- Understand how browser behavior and data flow drive privacy risk
- Recognize consent fundamentals and common implementation failures
- Build confidence in privacy vocabulary and decision framing

Modules covered:
- how-the-web-works
- intro-to-web-privacy
- understanding-consent

Page: https://lokker.com/training/web-privacy-foundations

### Privacy Technologies (Intermediate — 10h)

Understand the tools that track you online (analytics, session replay, ad pixels, fingerprinting) and the regulations written to control them.

Audience: Practitioners implementing analytics, adtech, and consent tooling; Privacy and compliance teams reviewing technical controls

Outcomes:
- Map technologies to the data they collect and share
- Connect regulations to practical implementation checks
- Detect and prevent high-risk deployment misconfigurations

Modules covered:
- tracking-technologies
- privacy-regulations
- consent-management-platforms
- adtech-data-ecosystem

Page: https://lokker.com/training/privacy-technologies

### Advanced Privacy (Advanced — 10h)

Deep-dive into browser fingerprinting, HIPAA on the web, and Privacy by Design frameworks.

Audience: Privacy engineers and technical advisors handling high-risk properties; Security, product, and legal leaders designing privacy-forward systems

Outcomes:
- Evaluate advanced tracking threats and control strategies
- Assess HIPAA-sensitive web patterns and remediation priorities
- Operationalize Privacy by Design in delivery workflows

Modules covered:
- browser-fingerprinting
- hipaa-and-health-privacy
- privacy-by-design

Page: https://lokker.com/training/advanced-privacy

### Specialist: Tag Management & Risk (Expert — 8h)

For privacy engineers and practitioners: deep-dive into GTM architecture, consent modes, and privacy risk assessment methodology.

Audience: Senior privacy practitioners and implementation leads; Teams responsible for production tag governance and incident response

Outcomes:
- Design resilient governance for scripts, tags, and partner data flow
- Run repeatable risk assessments with actionable remediation plans
- Communicate technical findings in executive-ready language

Modules covered:
- tag-management
- privacy-risk-assessment

Page: https://lokker.com/training/specialist-tracks

## Resources and documentation

- **Resources** (https://lokker.com/resources): Whitepapers, compliance reports, downloads, and
  checklists covering web privacy, consent, tracking, and regulatory topics.
- **Documentation** (https://lokker.com/docs): Product documentation covering Privacy Edge, Guardian,
  Consent Validator, and the Partner API.
- **Demo** (https://lokker.com/demo): Request a live guided demonstration tailored to your use case.
- **Support** (https://lokker.com/lokker-support): Help resources and support for Lokker customers.
- **Blog** (https://lokker.com/blog): Privacy commentary, product updates, regulatory analysis, and
  thought leadership articles.
- **Press & news** (https://lokker.com/press): Media coverage, press releases, and announcements.
- **Events** (https://lokker.com/events): Privacy conferences and industry events where Lokker
  participates.

## Privacy knowledge library

The /topics section (https://lokker.com/topics) is a library of web privacy concepts. Each article
covers a specific technology, regulation, consent mechanism, or risk pattern at the depth
needed to understand its privacy implications. Topics include tracking technologies (cookies,
pixels, session replay, fingerprinting), consent regulations (GDPR, CCPA, CPRA, US state
laws), consent mechanisms (CMPs, GPC, TCF), ad tech concepts (RTB, identity resolution,
header bidding), and risk patterns (HIPAA on the web, VPPA, wiretapping statutes).

Individual topic articles are accessible at https://lokker.com/topics/{slug}. The full slug list is
available in the XML sitemap at https://lokker.com/sitemap.xml.

The /glossary page (https://lokker.com/glossary) is an alphabetized reference covering key web privacy
and regulatory terms. Each entry provides a plain-language definition and a "Why it matters"
section explaining the practical compliance, risk, or operational significance of the term.
Terms span GDPR, CCPA, CPRA, US state privacy laws, consent technology, tracking methods,
security headers, and enterprise risk vocabulary including PII, PHI, subprocessors, and TIAs.

## Trust, security, and legal

- **Security** (https://lokker.com/security): Lokker's security practices, infrastructure posture, and
  responsible disclosure policy.
- **Privacy policy** (https://lokker.com/privacy-policy): How Lokker collects, uses, stores, and
  protects data about users of the lokker.com website and platform.
- **Terms of use** (https://lokker.com/terms-of-use): Terms governing use of the Lokker platform and
  website.

Note: Lokker findings represent observable technical behaviors, not legal conclusions or
legal advice. Organizations should consult qualified legal counsel for advice specific to
their situation.

## Engagement model and boundaries

**Who Lokker works with:**
- Enterprises: privacy, legal, compliance, engineering, and IT/security teams
- Defense counsel: law firms and legal teams defending organizations against privacy claims
- Insurance underwriters: cyber and privacy insurance teams assessing and monitoring risk
- Agencies: digital and marketing agencies managing client properties and privacy programs
- Any organization that wants to understand, improve, or maintain its privacy posture

**Who Lokker does not work with:**
- Plaintiff-side counsel. Lokker supports organizations and their defense, not those bringing
  claims against them.

**Engagement entry points:**
- Product demo: https://lokker.com/demo
- Contact: https://lokker.com/contact
- Training inquiry: https://lokker.com/contact?interest=training

## AI discovery

These files and patterns are provided to help AI systems and LLM-powered tools access
Lokker content efficiently:

- Curated index (spec-aligned): https://lokker.com/llms.txt
- Full context reference: https://lokker.com/llms-full.txt
- Sitemap (all indexed URLs, XML): https://lokker.com/sitemap.xml
- RSS feed (blog and press): https://lokker.com/feed.xml

**Markdown page variants (append .md to any supported URL):**
- Product pages: `https://lokker.com/products/{slug}.md`
- Solutions: `https://lokker.com/solutions/{slug}.md`
- Training tracks: `https://lokker.com/training/{slug}.md`
- Blog posts (full article body): `https://lokker.com/blog/{slug}.md`
- Static pages: `https://lokker.com/about.md`, `https://lokker.com/contact.md`, `https://lokker.com/security.md`