Inspiration
Every day, billions of people click "Accept All" on cookie banners without reading them. I was one of them. The moment that changed everything was when a friend of mine won a hackathon by building a browser extension that read Terms & Conditions and told users whether they were safe to accept. I thought — nobody has done this for cookie policies in India, specifically under our own data protection law. India passed the Digital Personal Data Protection (DPDP) Act in 2023, giving Indian citizens legal rights over their personal data for the first time. Yet there was not a single consumer-facing tool that told everyday users what they were agreeing to — in plain English — on Indian websites like Zomato, Swiggy, Amazon.in, or Flipkart. Every existing tool (Consent-O-Matic, Superagent, Cookie Consent Crusher) was built for EU users under GDPR. They auto-click the banner and make it disappear. But you still don't know what you agreed to. It's like someone signing a contract on your behalf without telling you what's in it. That gap became CookieLens.
What it does
CookieLens is a Chrome extension that automatically detects cookie banners, fetches the website's privacy policy, and analyses it using the LLaMA 3.1 AI model via the Groq API. It returns a risk score from 1 to 10, a plain English summary, a list of data types collected, third parties the data is shared with, and a specific concern under India's DPDP Act 2023 — all displayed in a clean popup within seconds of visiting any website.
How we built it
CookieLens was built in 5 stages over one week, solo, in vanilla JavaScript with no frameworks. Stage 1 — Extension Skeleton Set up manifest.json (Manifest V3), created the folder structure, and loaded the extension into Chrome Developer Mode to verify it appeared in the toolbar. Stage 2 — Content Script content.js is injected into every webpage automatically. It:
Reads all visible text using document.body.innerText Searches for cookie-related keywords using .some() Finds privacy policy links using querySelectorAll('a') Sends a PAGE_SCANNED message to background.js
Stage 3 — AI Analysis Layer background.js receives the message, fetches the privacy policy page, strips HTML, and sends the first 3000 characters to the Groq API (LLaMA 3.1 8B Instant model). The prompt instructs the model to return a structured JSON object: json{ "score": 7, "verdict": "AMBER", "summary": "...", "collected": ["Location", "Email", "Payment Info"], "shared_with": ["Ad Networks", "Analytics"], "dpdp_concern": "..." } Stage 4 — Popup UI popup.js reads the result from chrome.storage.local and renders a clean dark-themed popup with:
A colour-coded score circle (green / amber / red) Plain English summary Data collected tags Third parties shared with India DPDP Act 2023 specific concern
Stage 5 — Polish
Added a badge on the extension icon showing the risk score using chrome.action.setBadgeText() Implemented URL-based caching to skip redundant API calls Added a proper cookie emoji icon replacing the default puzzle piece Tested on Zomato, Amazon.in, Flipkart, Swiggy, and Meesho
Challenges we ran into
- DOMParser is not defined background.js runs as a Service Worker — not in a browser window context. Tools like DOMParser that work in normal browser JS simply do not exist there. I had to replace it entirely with regex-based HTML stripping, which actually taught me more about how HTML is structured than DOMParser ever would have.
- API Authentication Failures Three different AI APIs failed for three different reasons:
Anthropic — required the header anthropic-dangerous-direct-browser-access: true (not the similar-looking anthropic-dangerous-allow-browser) Gemini — free tier quota was limit: 0 for Indian accounts on gemini-2.0-flash Groq — worked perfectly on the first real attempt after correct key setup
Each error was a real-world lesson in reading API documentation carefully.
- JSON Parsing Breaking The AI sometimes wrapped its JSON response in markdown code fences (```json) even when told not to. JSON.parse() would throw an error on that. The fix — stripping backticks before parsing — was simple but required understanding why it was breaking first.
- Message Channel Closing Too Early Chrome's message listener closed the async connection before background.js finished its API call. The fix was a single line — return true at the end of the listener — but finding it required understanding how Chrome's extension messaging lifecycle works.
- Manifest JSON Comments JSON does not support comments. The original manifest included // ... style comments (copied from documentation) which caused a EOF while parsing error. Removing all comments fixed it — and taught me that JSON is strictly a data format, not a config language. ## Accomplishments that we're proud of
Building CookieLens entirely solo — without splitting work across a team — and understanding every single line of code is the accomplishment we're most proud of. This was not vibe coded. Every function, every API call, every error was debugged and understood from scratch.We're proud that CookieLens works on real Indian websites right now. Opening Amazon.in and seeing a live risk score appear within seconds — analysing an actual privacy policy using AI — feels like building something genuinely useful, not just a demo.We're proud of the DPDP angle. Every existing cookie tool in the world was built for European users under GDPR. CookieLens is the first consumer-facing extension that analyses privacy policies specifically through the lens of India's Digital Personal Data Protection Act 2023. That gap was real, and we filled it.We're proud that we navigated three different AI API failures — Anthropic, Gemini, and Groq — each failing for a different reason, and solved every one of them. That kind of real-world debugging is what separates a working product from a presentation slide.
What we learned
We learned that understanding architecture matters more than writing code. Before writing a single line, understanding how content scripts, service workers, and popups communicate through Chrome's message passing system made everything else fall into place naturally.We learned that Service Workers are a completely different JavaScript environment — browser tools like DOMParser simply don't exist there. Replacing it with regex-based HTML stripping taught us more about how HTML is structured than any tutorial would have.We learned how to do real prompt engineering. Getting an AI to return consistent, parseable JSON — and handling cases where it wraps the response in markdown code fences — required precision in how we wrote the prompt, not just calling an API blindly.We learned that every API error is a lesson. The wrong header name (anthropic-dangerous-allow-browser vs anthropic-dangerous-direct-browser-access), regional quota limits on Gemini for Indian accounts, and Groq's OpenAI-compatible response format — each failure taught us something real about how production APIs work.Most importantly, we learned that the idea matters as much as the code. Reaching hackathon finals before but never winning taught us that the gap between a good idea and a winning idea is specificity — who exactly has this problem, why does it exist now, and what makes your solution impossible to dismiss.
What's next for CookieLens: Know Before You Accept
The immediate next step is making CookieLens available on the Chrome Web Store so any Indian user can install it in one click — no technical setup required. On the product side, we want to add a site comparison feature — "Amazon.in collects 3x more data than Flipkart" — so users can make informed choices between competing services. We also want to build a weekly privacy report that summarises the risk profile of every site a user visited that week. On the business side, the B2B opportunity is significant. Under the DPDP Act, companies face fines up to ₹250 crore for non-compliant data practices. We want to build a compliance dashboard that lets Indian businesses audit their own privacy policies before regulators do — flipping CookieLens from a consumer tool into a SaaS product. On the technical side, we want to move the API key to a secure backend server, add multilingual support for regional Indian languages, and expand analysis beyond the first 3000 characters of a policy to handle full-length documents using chunking and summarisation. The long term vision is simple — every Indian internet user deserves to know what they're agreeing to before they click Accept. CookieLens is the beginning of that. Inspiration
Log in or sign up for Devpost to join the conversation.