B86%
Quality Score
4
Pages
85
Issues
7.8
Avg Confidence
8.0
Avg Priority
30 Critical47 High8 Medium
>_ Testers.AI
AI Analysis
Academy Sports scored B (86%) with 85 issues across 7 tested pages, ranking #5 of 14 US retail sites. That's 20 fewer than the 105.1 category average (64th percentile).
Top issues to fix immediately: "Critical blocking verification prompt prevents site access" โ Investigate and fix the JavaScript and resource loading failures indicated in the console (ERR_NAME_NOT_RESOLVED and ...; "Missing Cache Headers on All Resources Preventing Browser Caching" โ 1) Add Cache-Control headers to all cacheable resources with appropriate TTLs (images: 1 year, CSS/JS: 1 month, HTML:...; "Critical verification blocker - user cannot proceed past human verific" โ Resolve the underlying resource loading failures (ERR_NAME_NOT_RESOLVED and 403 errors visible in console) so that th....
Weakest area โ accessibility (5/10): Limited evidence of alt text on images, color contrast issues in some areas, and promotional overlays may interfere with screen...
Quick wins: Add descriptive alt text to all product and campaign images for screen reader users. Simplify the homepage layout to reduce cognitive load and improve scanability.
Qualitative Quality
Academy Sports
Category Avg
Best in Category
Pages Tested ยท 4 screenshots
Homepage
academy.com
academy.com
academy.com
Detected Issues ยท 85 total
1
Persistent User Identifiers Exposed in Third-Party Tracking Network Requests
CRIT P9
Prompt to Fix
Audit and restrict the transmission of persistent user identifiers (uuid, vid, sid, ci) to third-party services. Implement a privacy consent mechanism that explicitly requires user opt-in before transmitting any persistent identifiers to external analytics, bot detection, or tracking services. Replace persistent UUIDs with temporary session tokens where possible. Update the privacy policy to disclose all third parties receiving user identifiers and provide users with clear opt-out options. Consider using privacy-preserving alternatives to persistent device fingerprinting for fraud detection.
Why it's a bug
The network traffic reveals multiple persistent user identifiers (uuid, vid, sid, ci) being transmitted to third-party analytics and bot detection services (px-cloud.net, collector-pxqqxm841a.px-client.net, crcldu.com). These identifiers enable persistent cross-site user tracking and profiling without explicit user consent visibility. The UUID (977abb50-2196-11f1-873d-2b085fa1ef97) and VID (984e42bf-2196-11f1-ae60-02d1aa2e71db) appear in multiple requests to external domains, enabling tracking networks to build comprehensive user profiles across sessions and websites.
Why it might not be a bug
Some tracking may be necessary for fraud detection and bot mitigation. However, the extent of identifier sharing to multiple third parties without clear user consent disclosure is problematic.
Suggested Fix
Implement explicit user consent mechanisms before transmitting persistent identifiers to third-party services. Use privacy-preserving alternatives like temporary session tokens instead of persistent UUIDs. Add clear disclosure in privacy policy about which third parties receive tracking identifiers and implement opt-out mechanisms.
Why Fix
Persistent tracking identifiers enable user profiling across websites, violating privacy expectations and potentially breaching GDPR/CCPA regulations. Users have a right to know their identifiers are being tracked by third parties.
Route To
Privacy Engineer / Security Engineer
Page
Tester
Pete ยท Privacy Networking AnalyzerTechnical Evidence
Console:
Multiple network requests containing uuid=977abb50-2196-11f1-873d-2b085fa1ef97&vid=984e42bf-2196-11f1-ae60-02d1aa2e71db transmitted to third-party domainsNetwork:
GET https://collector-pxqqxm841a.px-client.net/b/g?payload=...&uuid=977abb50-2196-11f1-873d-2b085fa1ef97&vid=984e42bf-2196-11f1-ae60-02d1aa2e71db&sid=a071bae8-2196-11f1-bf8c-8a68a58a5bc5 - Status: 2002
Persistent User Tracking Identifiers Exposed to Third-Party Analytics
CRIT P9
Prompt to Fix
We are transmitting persistent user tracking identifiers (uuid, vid, sid, ci) to third-party analytics and bot-detection services (PerimeterX, px-cloud.net) without explicit user consent. These identifiers enable cross-site tracking and behavioral profiling. Please implement: 1) A consent banner that explicitly asks users before loading PerimeterX tracking scripts, 2) Privacy policy updates disclosing data sharing with PerimeterX and crcldu.com, 3) Modify the tag/script loading logic to only initialize third-party tracking after user consent is obtained, 4) Add a mechanism to respect Do Not Track (DNT) headers and privacy preference signals.
Why it's a bug
The network activity reveals multiple tracking identifiers (uuid, vid, sid, ci) being transmitted to third-party domains (px-cloud.net, perimeterx.net, crcldu.com) across multiple requests. These unique identifiers enable persistent cross-site user tracking and behavioral profiling without explicit user consent indicators. The data flows to external analytics/security vendors with comprehensive device and session fingerprinting data, creating a privacy violation under GDPR, CCPA, and similar regulations.
Why it might not be a bug
PerimeterX is a legitimate security/bot detection service commonly used by e-commerce sites, and the uuid/vid parameters are standard for such services. However, the lack of visible consent mechanism and the transmission of combined behavioral data to multiple third parties still constitutes a privacy risk that should be transparently disclosed.
Suggested Fix
1) Implement explicit user consent before loading PerimeterX and third-party tracking scripts. 2) Add clear privacy disclosures about what data is collected and shared with these vendors. 3) Provide users with opt-out mechanisms for non-essential tracking. 4) Implement consent management to only send identifiers after user acknowledgment.
Why Fix
Users have a fundamental right to know they are being tracked and profiled. The current implementation transmits comprehensive behavioral and device data to external vendors without visible consent, violating privacy regulations and user trust expectations. This creates legal liability and reputational risk.
Route To
Privacy Engineer / Compliance Lead
Page
Tester
Pete ยท Privacy Networking AnalyzerTechnical Evidence
Console:
No console logs provided in network dataNetwork:
GET https://collector-pxqqxm841a.px-client.net/b/g?payload=[encoded_behavioral_data]&uuid=977abb50-2196-11f1-873d-2b085fa1ef97&vid=97810032-2196-11f1-99f3-3982b17b68aa&sid=9d9591e5-2196-11f1-bd9a-ba2bb13ad71b3
Device Fingerprinting Data Transmitted to Multiple Third-Party Domains
CRIT P9
Prompt to Fix
Review and remediate device fingerprinting practices. First, audit the PerimeterX implementation to identify all device characteristics being collected (canvas fingerprinting, font enumeration, hardware acceleration data, etc.). Implement explicit user consent mechanisms before device fingerprinting scripts execute. Add clear disclosure in the privacy policy explaining which device characteristics are collected, why, and with whom they are shared. Consider implementing privacy-preserving alternatives or limiting fingerprinting to first-party only. Add console warnings for users when fingerprinting data is being collected.
Why it's a bug
Network requests to px-cloud.net and crcldu.com include device fingerprinting indicators (client.px-cloud.net/main.min.js, js.px-cloud.net requests). The presence of captcha challenges combined with payload data transmission suggests device characteristics are being collected and transmitted to third parties. The encoded payload in collector requests contains telemetry data that enables device fingerprinting for tracking purposes.
Why it might not be a bug
Device fingerprinting may be justified for fraud detection and bot prevention. However, the lack of transparency about fingerprinting and transmission to multiple third parties without consent is problematic.
Suggested Fix
Disclose device fingerprinting practices clearly in privacy policy. Implement consent mechanisms before collecting device fingerprint data. Limit device fingerprint transmission to only necessary fraud-detection services. Use first-party-only fingerprinting solutions where possible instead of third-party tracking networks.
Why Fix
Device fingerprinting enables persistent user tracking even without cookies and violates privacy regulations. Users should be informed and have control over whether their device characteristics are being tracked.
Route To
Privacy Engineer / Backend Engineer
Page
Tester
Pete ยท Privacy Networking AnalyzerTechnical Evidence
Console:
Device fingerprinting scripts loaded from third-party domains without user consent indicatorsNetwork:
GET https://client.px-cloud.net/PXqqxM841a/main.min.js - Status: 200, GET https://js.px-cloud.net/?t=d-7txwetm2r-1773706624697&v=984e42bf-2196-11f1-ae60-02d1aa2e71db