Is Your Website GDPR Compliant?

06 Oct, 2020 | 5 minutes read

As technology progresses over the years, we have witnessed of growing use of personal data for applications and websites to function, but also to improve user experience. However, this personal data use isn’t always for the benefit of the people. We have all heard about stolen identities, stolen money from credit cards, etc., and due to it, rules, regulations, and policies have been created to protect personal data.

In our blog post, we are going to give a brief overview of GDPR, and a review of several tools for GDPR cookies scan which can be used to check whether your website is GDPR compliant.

About GDPR

GDPR stands for General Data Protection Regulation and at its most basic, it specifies how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general). GDPR is active for all EU entities (whether the processing takes place in the EU or not) It is the toughest privacy and security law in the world.

It’s intended to strengthen data protection for all people whose personal information falls within its scope of application, putting personal data control back into their hands. [Source: https://gdpr.eu/]

Personal data is any information that relates to an individual who can be directly or indirectly identified. Pseudonyms can also fall under the definition if it’s relatively easy to ID someone from it.

The fines for violating GDPR are very high! There are two tiers of penalties, which max out at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages.

If you are a data controller, you can help secure your organization from getting fined for data violation, protect your customers’ data, and ensure compliance by following the checklist (which can be found on GDPR official website) which includes the following items:

  • Lawful basis and transparency – you need to determine what information you process and who has access to it and provide clear information about the data processing in your privacy policy.
  • Enhanced data security – Encrypt or anonymize personal data wherever possible, create a security policy for your team members, build awareness about data protection, and create a process to notify the authorities in the event of a data breach.
  • Accountability and governance – Appoint a person to be responsible for GDPR compliance and sign a data processing agreement between your organization and any third parties that process personal data on your behalf.
  • Privacy rights – Make it easy for your customers to correct or update inaccurate or incomplete information and receive all the information you have about them, or have their personal data deleted.

Browser cookies, or simply – cookies are small files stored on the user’s computer by the web browser while browsing a website intended to help the website keep track of user’s activity. There are different types of cookies that keep track of different activities. As an example, a website might use cookies to keep a record of your most recent visit record your login information, or keep track of the items in a user’s shopping cart. If the website doesn’t have cookies, your shopping car will always reset to zero when you click on a new link on the same site or will automatically log you out.

There are also third-party tracking cookies which cause more security concerns because they monitor where you are going and what you are doing online. These third-party cookies can sometimes be used by external sources, such as Google or Facebook to show you targeted ads. This can be a privacy concern since some of the visitors don’t exactly know what cookies are, what they consist of, or where and how they are used, so, the users have to consent (or deny) to using cookies on your site, before they are actually created.

There are a few free tools to scan for GDPR cookies and a few more to add (trial) cookie acceptance banners on your site.

So, in order to scan your site for compliance with GDPR, you need to go to one of the following sites and enter your site in the ‘Check website’ field.

https://app.cookieyes.com/, https://www.gdprcookiescan.eu/, https://www.ezigdpr.com/, https://www.cookiebot.com/

We’ve decided to scan the same page with the engines above, compare the results of the scans and find the best.

1. https://app.cookieyes.com/

First, after creating a user, we scanned the site with https://app.cookieyes.com/ application.

The site found a total of 7 cookies and 3 scripts (classified in 3 categories – Analytics, Advertisement, and Other) out of 24 scanned pages.

CookieYes also gives an additional description of the cookie in the report.

cookies table report

2 https://www.gdprcookiescan.eu/

Next, we have the https://www.gdprcookiescan.eu/ results:

This application scan found 8 cookies, out of which 3 were classified as high risk and 2 were medium risk cookies.

GDPR Cookie Scan got one more cookie, compared to the previous application.

GDPR Cookie Scan

3 https://www.ezigdpr.com/

The next one we tried was https://www.ezigdpr.com/

EziGDPR also found 8 cookies, but it also gave us a result for 8 possible user tracking resource tags that are loaded without user consent.

cookie analytics with google
tags detected on ypur website

4 https://www.cookiebot.com/

The last one we tried was https://www.cookiebot.com/, but unlike the previous ones that scanned and gave us results for just several minutes, Cookiebot sent us a 4-page extensive email with many results.

It found 19 cookies in total, 4 of which are Necessary for the basic functions of the site, 6 are for Statistics for the owners, 5 for Marketing tracking, and lastly, 4 were Unclassified and in need of a purpose description.

cookie scan report

Conclusion

As time passes, more and more restrictions are put on personal data use, and the way it can be used. As we have outlined in the blog post, there are many tools that can be used to scan GDPR cookies. The results that we got show that most of the cookies found by scanning the site are external cookies, especially those connected to Google and Facebook.

The most precise and extensive report by far was by Cookiebot, which even gave us the line numbers where the issues were found, at the cost of the time it took to analyze and send the results.

Cookiebot is followed closely by EziGDPR for fast results, and clearness of the simplicity of the report it displays.

The results from CookieYes and GDPR Cookie Scan were good, but not as extensive as the other two.

If you are interested in learning more about these tools, and about our analysis, feel free to contact us.