How to Know if Your Site Follows Data Privacy Best Practices
The expectations for companies’ data privacy practices have come a long way since 2016 when the European Union adopted the General Data Protection Regulation (GDPR). Twelve states and numerous countries have enacted their own sets of data privacy regulations in the past eight years.
All these regulations cover similar themes and grant users specific rights over their data. Each regulation's nuances are different, so you should determine which regulations apply to your company and ensure you comply with them. However, there are best practices you can follow to cover baseline privacy laws.
User tracking often begins with cookies, so they’re a great place to start evaluating your data privacy practices. You can use the following guidance to get a sense of where your site stacks up against best practices for cookie management.
Check if You Can Opt In or Opt Out of Tracking
The first thing you should check is whether you can opt-in and opt out of tracking. GDPR requires that users explicitly consent before tracking occurs (opt-in). Regulations by various states have, so far, all allowed for tracking by default with a clear means of opting out. From a privacy perspective, the best practice is to follow an opt-in approach because you know that users have explicitly provided their consent. That way, you’re compliant with GDPR and state regulations.
It’s worth noting that many sites don’t allow for either approach. Instead, they simply inform users that they’re being tracked. While this is better than nothing, it doesn’t give the user control of their data and doesn’t meet either regulatory standard.
Test Your Options to Opt In or Opt Out
Using a new Incognito/Private browser window, navigate to any page on your site. When the page loads you should see a banner, pop-up, or some other type of notification that informs you and requests your consent to be tracked. You should be asking the questions:
- Is there a cookie notification?
- Can I withhold or revoke consent?
- Is there a way to learn more about what these cookies do?
If the answer to any of these questions is no, then there is room for your organization to improve, so you can meet best practices.
See if Opting Out Actually Works
It’s one thing to show a banner with buttons and toggles on it. However, it’s another for those to have an impact on how your site behaves. Your site should only load cookies that are in the consent buckets that a user has accepted. If we first assume that your site is using the opt-in approach, when you land on your first page you should only have cookies categorized as “Strictly Necessary.” If your site is using opt-out, then all the cookies for that page will load immediately. Once you have opted out those cookies should be removed.
Test Opting Out
In your Incognito/Private browser window, validate that you have opted out of all cookies. Make sure your selection is saved. Then navigate to a new page. If your site only lists the cookies in each bucket on the privacy policy or cookie policy page, we suggest using that one to make validation easier.
Next, you should see what cookies exist on your browser. To do that you’ll need to open the developer tools by either pressing F12 or by right-clicking on the page and selecting “Inspect”. The developer tools will open in a panel or new window and will have several tabs across the top. The tab you want is called “Application” in Edge or Chrome, and “Storage” in Firefox. You’ll see a storage section on all of them that includes a Cookies dropdown. Expand the dropdown. Safari is a bit different and has a Privacy Report that will list the cookies for you.
Now you can compare the list of cookies that were placed on your browser with the list that you consented to by comparing the names. It wouldn’t be surprising if you consented to cookies that have not been placed on your browser since you’ve only visited two pages. But if there are cookies that you see that you didn’t consent to then there is an issue. You need to check each consent group by updating your consent settings and reloading the page. To assess it more thoroughly navigate to different pages on your site to try to trigger other cookies.
Ensure Your Cookies Are Secure
Data privacy and security are closely related. Any data that a user does consent to should only be accessed by the intended recipients. To help ensure that cookies should be sent securely using https, not http. Data passed using http is not encrypted so it can be intercepted and read by unintended audiences. If a session cookie is set that way a bad actor could use that cookie to impersonate you.
Test Your Cookie Security
Open the developer tools you used to evaluate whether your consent settings were working. This time, instead of looking at the Name column look at the column called “Secure.” Ideally, all the cookies would have a checkmark in that column. Any sensitive cookies must have that designation, but it may be difficult to determine if a cookie is sensitive. Cookies with an expiration of “session” are worth noting. If you find insecure cookies it may be best to escalate them to the team that manages your site to determine if a change is necessary.
The Bigger Picture for Data Privacy
The tests we’ve covered in this post are focused solely on how your site manages cookies. Doing these tests doesn’t guarantee that your site is compliant and doesn’t cover most of the requirements you need to meet to be compliant. Our tests are simply meant to look at one part of compliance and see how you stack up against data privacy best practices. Hopefully, your site passed all these tests, and you now have the reassurance that your site is following privacy best practices. If that was not your experience and you need some help getting there, we’re happy to help. Contact us about your data privacy needs.