Data Privacy Audit
How the Privacy Audit works
The data privacy audit checks your website or app to determine current data privacy compliance risk level. This is based on requirements of privacy laws like the GDPR, CCPA, LGPD and POPIA.
Compliance depends on the user consent for the use of first-party cookies, third-party cookies and third-party requests to collect and share data.
Is your website privacy compliant?
FAQs – Web Consent Management
A data privacy audit (also known as a protection or compliance audit) checks for the use of first-party cookies, third-party cookies and third-party requests on your website. This helps determine if the site collects and shares data in accordance with privacy regulations and displays a low, medium or high risk level for privacy noncompliance.
Once you have identified which cookies and requests are being used by your website for data collection, you can begin to ask your website visitors for consent. A consent management platform (CMP) manages the gathering and storing of consents to help you achieve privacy compliance.
We can’t provide specific legal advice, but there are some best practices. Appoint representatives for data privacy and protection initiatives. Know what data you collect and how it’s managed. Have a provable legal basis for data processing. Set up data processing agreements with third parties. Provide clear information to enable users’ consent choices. Download our GDPR Compliance Checklist for more information.
Data privacy audits can identify your website as a low risk level. A low risk level means that the data privacy audit found that your website sets first-party cookies without explicitly asking users for consent, which can violate some data privacy laws. No third-party cookies or third-party requests were found.
A medium risk level means that the data privacy audit found that your website is definitely not privacy compliant. Your website sets either an above average number of first-party cookies OR third-party cookies and/or third-party requests, without explicitly asking users for consent. You may be at risk of noncompliance penalties.
A high risk level means that the data privacy audit found that your website has substantial privacy compliance failures. Your website sets a large number of third-party cookies and third-party requests without explicitly asking users for consent. You may be at risk of noncompliance penalties.
Cookies are small files set in web browsers that enable user identification tracking, personalized marketing and other functions. Some types of cookies share user data with third parties. Website operators should know which cookies they use and what data they collect. Valid consent can’t be requested from users without accurately communicating about cookie usage.
First-party cookies are set by websites while the user is on-site. They enable website providers to collect customer activity and analytics data, remember language and other preference settings, and carry out other useful user experience functions.
The riskiest type of cookies for privacy compliance, these are usually set for tracking and retargeting marketing campaigns. They are set by third-party servers, such as ad servers on publishers’ websites, and user data is shared.
Third-party requests are files that are loaded from a website other than the one that the user is currently visiting. They usually are from vendors whose technology is implemented on the website where the user is active, or who use that website for advertising and tracking purposes.
The first step is to set the parameters of the audit, including:
- what you’ll evaluate, e.g. websites, apps, etc.
- which privacy laws and requirements you’ll check against
- who will conduct the audit
- how frequently you’ll conduct audits
Once you have your methodologies in place, examine your data inventory, processes, and privacy policy. Evaluate these to see if they comply with current relevant regulatory requirements, and check that any vendors you share data with are also compliant. Remember that the data controller is responsible for the privacy compliance of their data processors under many data privacy laws. Document any places where security and data handling are not compliant or can be strengthened, and create a report with recommendations for changes to enable compliance.
Privacy compliance refers to collecting, storing, processing, and use of customer data in a way that aligns with the requirements of relevant data privacy and protection laws and your internal policies. If an organization collects and uses personal data from people in regions where there are data privacy laws like the GDPR, LGPD, POPIA, CCPA, etc., typically the organization must comply with those laws, even if the organization is located elsewhere.
A data privacy audit evaluates whether you collect, use, and share data in compliance with privacy laws and identifies where you can make improvements. It determines if your website’s risk of noncompliance is low, medium, or high, based on various factors, including how you collect consent and the data security controls and access controls in place. The Usercentrics data privacy audit enables you to see if your website is employing cookies and trackers and collecting user data in a way that is likely to comply with data privacy laws or not.
A GDPR data audit is an evaluation of your compliance with the GDPR, the data privacy and protection law for the European Union (EU) and European Economic Area (EEA). Websites and apps that process data from users in the EU must comply with GDPR requirements, even if the company collecting the data is a non-EU company. The GDPR has one of the most rigorous data protection requirements, and noncompliance can result in hefty fines, data loss, and damage to brand reputation.
There’s no specific provision in the GDPR that requires you to conduct a GDPR audit. That said, it’s good practice to do so at regular intervals to ensure you are and remain compliant with that law and any other relevant regulations, including using a lawful basis for collecting user data under the GDPR.
A privacy policy is a statement, usually located on your website, that shares information about your data processing policies and how you handle user data. It specifies what data you’re collecting, for what purpose(s), who you may share it with, and how you secure it. Typically it also includes information about users’ rights regarding personal data and how to exercise them. The legal requirements for what information a privacy policy should contain depend on where your website’s users are located. Read our blog post on privacy policies to know more about how to write a good privacy policy.
FAQs – App Consent Management
If you use any third party SDKs in your app for marketing, advertising or any other purpose that tracks user behavior or data, the answer is most likely yes. Any processing activity that is not strictly necessary for the functioning of your app, requires consent.
For most third party technologies that collect your users data you need to make sure to collect explicit consent choice from your users and to make sure that this consent choice is correctly passed to the relevant third party technology. While this principle is straightforward, it is more complex to comply with all the requirements of the various privacy regulations around the world. Usercentrics CMP simplifies this for you and avoids the pain of building and maintaining a complex solution. Reach out to learn more.
Our pricing for Apps is based on volume of users. More specifically, Average of Daily Active Users (ADAU) across all of your apps integrating the Usercentrics Apps CMP. You may integrate our CMP in unlimited Apps with no extra cost. Please provide an ADAU estimate to a sales agent for a quote or visit our pricing page.
We define a Daily Active Users as a unique user who used an app within a given calendar day.
e.g.
- A user opens your app once today, they count as 1 DAU today.
- A user opens your app 20 times today, they count as 1 DAU today.
- A user opens your app once today and 3 times tomorrow, they count as 1 DAU today and 1 DAU tomorrow.
For mobile Apps, we support the iOS and Android platforms. From a technical perspective, we offer native SDKs for iOS and Android, but also SDKs for cross-platform frameworks: Flutter, React Native and Unity.
For tv Apps, we support tvOS, AndroidTV (and other AndroidTV based platforms like FireTV), and any web-based platforms like: Samsung TV, LG webOS, Chromecast, PlayStation, XBOX, etc.
Yes, we have a dedicated Unity SDK for mobile games. You can learn more about it in our documentation.
Mobile app consent means getting permission from app users to collect and use their personal data. It respects user privacy by enabling users to control how apps use their data while also meeting international privacy standards. You can obtain consent using a consent management platform set up with legally compliant consent settings, including for cookie consent. Read our best practices for collecting mobile app consent.
Prior consent is mandatory under many privacy laws when collecting user data for any purpose, such as for marketing or advertising, that’s not essential for the app to work. The GDPR requires a lawful basis for processing user data, and consent must be explicit. Users need to opt in to allow the app to collect and use their data. Your app should display a user consent form designed to give users the option to accept or decline whether they share their data. Additionally, any data you collect must comply with your privacy program, including how user data will be protected.
Yes, the GDPR is the data privacy law for the European Union and applies to mobile apps that process data from users in the EU, even if the app developer is not an EU company. Mobile app consent under the GDPR must be explicit. Users need to opt in to allow apps to collect their data, using consent settings the app presents to them before it can collect any data.
The GDPR is designed to protect consumers’ personal data and rights, and require consent for all types of digital users, including those giving mobile app consent. Here are some requirements to ensure your mobile apps comply with the GDPR:
- Before obtaining users’ consent, clearly explain the types of data you want to collect and why, who will use it, how it will be stored, and how it will be used. You must share this information somewhere easily accessible and in a way that the target audience can understand.
- You must inform users why you’re requesting their data and collect only the data you need to fulfill that specific purpose. Users must consent to the specific purpose, and if you need data for a different or additional purpose, you must obtain new consent.
- Users must have a choice whether or not to consent to collection and processing of their data. If they decline, they cannot face negative consequences, such as being denied access to the app.
- Users must actively opt in to consent to their data being collected for consent to be valid. Using pre-ticked boxes or presuming consent if they don’t object aren’t good enough. Consent must be active and explicit.
- Users must be able to change or withdraw their consent at any time, just as easily as they gave it.
- You must document all instances of consent and be able to provide proof if a data protection authority requests it.
- Cookie consent falls under the GDPR, and mobile apps that use cookies to collect user data must comply with GDPR requirements.
If you use cookies to collect user data for marketing, advertising, analytics, or any other purpose not strictly necessary for your app to function, and the users reside in jurisdictions protected by data privacy laws requiring prior consent for data collection, sale, etc., then you need cookie consent for mobile apps. Cookie consent falls under the scope of the GDPR, and mobile apps that use cookies must comply with GDPR regulatory requirements. You can use cookie consent banners on your app to tell users that your app uses cookies and enable them to choose whether or not to share their data.
Many modern data privacy laws apply to any platform that collects user data, and this includes mobile apps. To prioritize user privacy, many international privacy laws require mobile app developers to have a lawful basis for using user data. Regulations such as the GDPR (EU), LGPD (Brazil) and POPIA (South Africa) all require user consent before you can process their data. Some state-level privacy laws in the United States, including the CCPA (California) and VCDPA (Virginia) require you to let users actively opt out of processing their data.
To protect user privacy, your mobile app must include consent settings that meet the requirements of privacy regulations where your users reside, which could mean worldwide. This includes obtaining explicit opt-in consent to meet GDPR requirements. Using a consent management platform like Usercentrics’ helps you collect consent compliantly without disrupting user experience.