Data Privacy Audit
Is your website privacy compliant?
How the Privacy Audit works
The data privacy audit checks your website to determine current data privacy compliance risk level. This is based on requirements of privacy laws like the GDPR, CCPA, LGPD and POPIA.
Compliance depends on the user consent for the website’s use of first-party cookies, third-party cookies and third-party requests to collect and share data.
Frequently asked questions
What is a data privacy audit?
A data privacy audit (also known as a protection or compliance audit) checks for the use of first-party cookies, third-party cookies and third-party requests on your website. This helps determine if the site collects and shares data in accordance with privacy regulations and displays a low, medium or high risk level for privacy noncompliance.
What do I do with the privacy audit results?
Once you have identified which cookies and requests are being used by your website for data collection, you can begin to ask your website visitors for consent. A consent management platform (CMP) manages the gathering and storing of consents to help you achieve privacy compliance.
How do I achieve GDPR compliance?
We can’t provide specific legal advice, but there are some best practices. Appoint representatives for data privacy and protection initiatives. Know what data you collect and how it’s managed. Have a provable legal basis for data processing. Set up data processing agreements with third parties. Provide clear information to enable users’ consent choices. Download our GDPR Compliance Checklist for more information.
What does it mean if my website risk is low?
Data privacy audits can identify your website as a low risk level. A low risk level means that the data privacy audit found that your website sets first-party cookies without explicitly asking users for consent, which can violate some data privacy laws. No third-party cookies or third-party requests were found.
What does it mean if my website risk is medium?
A medium risk level means that the data privacy audit found that your website is definitely not privacy compliant. Your website sets either an above average number of first-party cookies OR third-party cookies and/or third-party requests, without explicitly asking users for consent. You may be at risk of noncompliance penalties.
What does it mean if my website risk is high?
A high risk level means that the data privacy audit found that your website has substantial privacy compliance failures. Your website sets a large number of third-party cookies and third-party requests without explicitly asking users for consent. You may be at risk of noncompliance penalties.
What are cookies?
Cookies are small files set in web browsers that enable user identification tracking, personalized marketing and other functions. Some types of cookies share user data with third parties. Website operators should know which cookies they use and what data they collect. Valid consent can’t be requested from users without accurately communicating about cookie usage.
What are first-party cookies?
First-party cookies are set by websites while the user is on-site. They enable website providers to collect customer activity and analytics data, remember language and other preference settings, and carry out other useful user experience functions.
What are third-party cookies?
The riskiest type of cookies for privacy compliance, these are usually set for tracking and retargeting marketing campaigns. They are set by third-party servers, such as ad servers on publishers’ websites, and user data is shared.
What are third-party requests?
Third-party requests are files that are loaded from a website other than the one that the user is currently visiting. They usually are from vendors whose technology is implemented on the website where the user is active, or who use that website for advertising and tracking purposes.
How do I conduct a privacy compliance audit?
The first step is to set the parameters of the audit, including:
- what you’ll evaluate, e.g. websites, apps, etc.
- which privacy laws and requirements you’ll check against
- who will conduct the audit
- how frequently you’ll conduct audits
Once you have your methodologies in place, examine your data inventory, processes, and privacy policy. Evaluate these to see if they comply with current relevant regulatory requirements, and check that any vendors you share data with are also compliant. Remember that the data controller is responsible for the privacy compliance of their data processors under many data privacy laws. Document any places where security and data handling are not compliant or can be strengthened, and create a report with recommendations for changes to enable compliance.
What is privacy compliance?
Privacy compliance refers to collecting, storing, processing, and use of customer data in a way that aligns with the requirements of relevant data privacy and protection laws and your internal policies. If an organization collects and uses personal data from people in regions where there are data privacy laws like the GDPR, LGPD, POPIA, CCPA, etc., typically the organization must comply with those laws, even if the organization is located elsewhere.
What is the objective of a data privacy audit?
A data privacy audit evaluates whether you collect, use, and share data in compliance with privacy laws and identifies where you can make improvements. It determines if your website’s risk of noncompliance is low, medium, or high, based on various factors, including how you collect consent and the data security controls and access controls in place. The Usercentrics data privacy audit enables you to see if your website is employing cookies and trackers and collecting user data in a way that is likely to comply with data privacy laws or not.
What is a GDPR data audit?
A GDPR data audit is an evaluation of your compliance with the GDPR, the data privacy and protection law for the European Union (EU) and European Economic Area (EEA). Websites and apps that process data from users in the EU must comply with GDPR requirements, even if the company collecting the data is a non-EU company. The GDPR has one of the most rigorous data protection requirements, and noncompliance can result in hefty fines, data loss, and damage to brand reputation.
Are audits required by the GDPR?
There’s no specific provision in the GDPR that requires you to conduct a GDPR audit. That said, it’s good practice to do so at regular intervals to ensure you are and remain compliant with that law and any other relevant regulations, including using a lawful basis for collecting user data under the GDPR.
What is a privacy policy?
A privacy policy is a statement, usually located on your website, that shares information about your data processing policies and how you handle user data. It specifies what data you’re collecting, for what purpose(s), who you may share it with, and how you secure it. Typically it also includes information about users’ rights regarding personal data and how to exercise them. The legal requirements for what information a privacy policy should contain depend on where your website’s users are located. Read our blog post on privacy policies to know more about how to write a good privacy policy.
Disclaimer: The Data Privacy Website Audit is intended to serve as a starting point for website operators to improve their data protection compliance. The results presented might not be 100% complete and should not be considered as an extensive compliance check. The results have no right to accuracy. Usercentrics does not assume any liability for the accuracy and completeness of the results.