How to check GDPR website compliance – GDPR website check

Is the European market important for your business? Then GDPR website compliance is also important for your company. No matter where your headquarter is located. 

In a nutshell: GDPR website check

• dentify all cookies / plugins and other add-ons on your website. Use online services or browser add-ons for this purpose.
• Analyze the results for data protection relevance. Are there cookies or is personal data transferred?
• Check the content of your website. Have you included forms? Are there other ways to interact with website visitors?
• Create a privacy policy that includes all identified and analyzed points that are GDPR relevant.

Do you have a GDPR compliant website?

More and more website operators have been asking themselves this question after the GDPR came into force in May 2018. Especially since the ECJ rulings of July 29, 2019 (consent for social media plugins) and October 1, 2019 (consent for cookies) do not really reassure operators. The panic rather increases.

A website check involves effort – and therefore also costs.
We show you in this article how you can assess the status of your website regarding data protection yourself.

Note: We do our best to always be up to date. Nevertheless, we can not give any guarantee at this point. It is also not a legal advice!

Perform GDPR website check yourself

We have by now audited many of our clients’ websites. Our approach is very detailed and sometimes complex.

In the following, we show you what is important and what tools you can use for your analysis. We also mention the tools and utilities we work with. However, this does not mean that there are no comparable providers. We are not interested in advertising individual services here. Nor do we give a rating or receive commission if you use any of the services. We are simply demonstrating our approach to a compliant GDPR website.

Many roads lead to Rome. And we don’t want to claim that we know the only possible way.

Attached is a compact checklist that briefly summarizes the above points once again. For our clients, we provide a detailed template for a website report and the points to be checked.

How can you check the status of the GDPR requirements on your website yourself?

Tools for checking the GDPR website compliance for your online presence

Now comes advertising! … but unpaid 😉

• uMatrix Browserplugin
• Ghostery Browserplugin
• BuiltWith Browserplugin or web service https://builtwith.com
• web service dataskydd https://webbkoll.dataskydd.net/
• Cookie Checker from Cookiebot https://www.cookie-checker.com

Basic requirements for a privacy-compliant website

Encrypted transmission

HTTPS encryption of the website should not be discussed. As the Würzburg Regional Court announced in its ruling with the file no.
11 O 1741/18, encryption of the website is to be considered state of the art. We generally recommend encrypting the website, even if it does not transmit any personal data. It is important that the entire domain uses HTTPS by default and not just individual pages. We also recommend configuring a redirect. This ensures that page visitors who only enter HTTP are still forwarded to the encrypted page under HTTPS.

In addition to the security aspect, encrypting the page can have a favorable effect in other areas. For example, some browsers prefer encrypted pages. And also in terms of SEO, it can be assumed that encrypted pages rank better with Google. 

In addition to HTTPS, you should also check if your site has also implemented the HSTS procedure. HSTS is an additional security criterion for HTTPS connection encryption.

You can get an assessment of HTTPS and HSTS for your website via the dataskydd service.

Referrer policy

Dataskydd also provides you with information about whether your website includes the source (i.e. your own site) when redirecting to another site. For example, you redirect to our site and pass along the referrer information. This makes it obvious to us that the user came from your site.

This cannot be classified as generally negative. Sometimes it may be useful or necessary to include this information. Check this on a case-by-case basis for your website.

Security settings for your web server

Through Dataskydd’s evaluation you will get information about the security state of your web server. Dataskydd issues some recommendations that you can check.

Perform GDPR website compliance for installed plugins and website extensions

• Open the website you want to check in the browser where you have installed the extensions (e.g. uMatrix, Ghostery).
• Make sure that uMatrix and, if applicaple, other ad blockers you have running are not blocking anything.
• Check your website with BuiltWith’s plugin or online service.
• Record all plugins / extensions and other installations reported by uMatrix, Ghostery, BuiltWith or other services.
  1. We recommend you to create a table similar to the following one.
  2. In the first step, it is enough to fill in only the first and second column (name and purpose). It is important to describe the purpose of the extension as correctly as possible – i.e. what exactly the plugin or the extension does. This will later determine whether opt-in, opt-out or mention in the privacy policy is necessary at all.
     
     If you use extensions whose functionality is not known and the manufacturer also does not provide any information, you should rather refrain from using them if in doubt.

• check your site through the service of Dataskydd: https://webbkoll.dataskydd.net/
• add missing extensions / cookies / plugins in the table
• note further results of Dataskydd in a report

Evaluate extensions / cookies / plugins… regarding GDPR and other data protection requirements

You have now recorded everything that is installed on your website. Maybe there are a few extensions that surprise even yourself. Maybe you didn’t install everything consciously or directly?

Now comes the more difficult part of the GDPR website check. You need to evaluate your website extensions regarding privacy. Does the cookie or plugin need to be mentioned in the privacy policy? Is an opt-in or opt-out option required for the user to perform the function?

We will try to make your decision-making process a little easier by asking the following questions.

Does the plugin / cookie / extension need to be specified in the privacy policy?

You can answer “yes” to this question if, for example, any of the following apply:

• Personal data of the website visitor is collected and stored locally (no transmission to a third-party provider). This includes the IP address.
• Personal data (e.g. the IP address) is transmitted to an external service in order to perform certain functionalities on the website (regardless of whether the function is mandatory for the operation of the website or not).
• This includes, for example, Web Fonts.

The extension is not relevant for the privacy policy if no personal data is processed to perform the function. This would be the case, for example, if you use web fonts, such as Google Fonts, but have them installed locally. In this case, you also do not need to specify the web fonts in the privacy policy.

Is an opt-in required to run the cookie / plugin / website extension?

Opt-in or opt-out refers to the ability of a user to stop the processing of their personal data. They are one of the most important means to make your website GDPR compliant. The Data Protection Conference has defined the distinction between opt-in and opt-out in its Guidance for Telemedia Providers as follows:

The key difference between an opt-out solution and an opt-in solution is that in the case of an opt-out solution, data processing initially takes place and can only be prohibited for the future by declaring an objection. The situation is different, however, if consent (opt-in) is required. In this case, data processing may only take place after effective consent has actually been given by the user. Guidance for telemedia providers (DSK – Data Protection Conference)

The ECJ’s October 1, 2019 ruling simplifies the answer to the question – but unfortunately to the detriment of site operators and site visitors.

The basic question is: Is the extension mandatory for the function or appearance of the website?

If you can answer “yes” to this question, you do not need to obtain user opt-in.
For all other cases, such as collecting visitor statistics, an opt-in is required.

Important! The ECJ also ruled in October that pre-selection is no longer allowed either. The visitor must actively select the optional cookies and other website extensions. Active means in this case, without pre-selection of the checkbox.
No matter whether with consent or without: you must always inform about the cookies used in the privacy policy or in another way (e.g. directly via the cookie banner).

Is an opt-out necessary for the collection of personal information through the website?

Meanwhile, opt-in and opt-out can actually be equated. That is, wherever there is an opportunity to opt-in, there must also be a subsequent opportunity for the user to opt-out.
For example, if certain cookies that the user has blocked are necessary for playing a video. For this, we recommend providing the site visitor with a link in the privacy policy that makes the cookie notice reappear. Also a reference to the privacy policy (with link) should not be missing in any cookie notice.

What requirements must a cookie banner meet?

The cookie notice or cookie banner must not cover the links to the privacy policy and imprint. Also, as mentioned above, the user must be able to change his settings afterwards (revocation).

We recommend choosing a cookie banner that categorizes the cookies used (e.g. necessary for function, statistics, marketing, personalization…)

The user must be able to, actively and voluntarily select which cookies / categories of cookies they want to allow beforeyou start tracking. A technically flawless implementation by the website operator is of course a prerequisite.

On the occasion of Safer Internet Day 2019, the Bavarian State Office for Data Protection has also scrutinized some cookie banners on websites. According to their assessment, unintentional tracking cannot be prevented with many cookie notices as they are currently in use.

Cookie Directive and e-Privacy Regulation

In Germany, the Cookie Directive has not yet been implemented, as the previous regulation in the Telemediengesetz, or TMG, was considered sufficient.

In addition, the EU is planning the so-called e-Privacy Regulation. The e-Privacy Regulation is also expected to deal with cookies. It will, as soon as it enters into force, replace the regulation from the TMG. Until the e-Privacy Regulation enters into force, there will therefore probably still be some ambiguity as to what exactly a GDPR compliant cookie notice looks like. However, the ECJ’s rulings already provide some direction.

Is the plugin provider a processor?

The question cannot generally be answered with a yes or no. Basically, one must distinguish between two cases:

1. The provider creates the software for the website extension. After installation on own web server or CMS, personal data is stored only locally on own server. There is no transfer of data to the manufacturer of the software.
2. The provider creates the software or provides a web service that can be integrated into the own website. In operation, data of the website visitor is collected and transmitted to the servers of the provider.

In the first case, commissioned processing can be excluded. For case two, it must then be examined exactly what processing is involved. Is the processing of personal data the core task of the provider? Then an order processing contract is necessary in any case.
We cannot give a general answer to all other possibilities at this point. You can find more information on commissioned processing in the blog article on order processing (in German).

Examples for website extensions

Since the topic is very complex, we show a few examples from our website. We use WordPress and have installed several plugins. The following table shows some examples:

Update May 2020

The European Data Protection Supervision Authority (EDSA) updated guidelines on consent for website use on 05/05/2020.

We briefly summarize the key messages of the guidelines:

Cookie walls

Access to a website must not be made dependent on whether cookies are accepted or not. That is, the website visitor must not be pressured to accept cookies in order to view the content of the website.

If, however, the website operator allows the visitor to choose between paying for the content (e.g., subscription) and accepting the cookies, the EDSA does not see this as a violation in the design of the consent.

If the website visitor does not want to pay for the content and accepts the cookies, he pays with his data, so to speak.

Ignore cookie banner

If the website visitor ignores the cookie banner or the consent banner, this does not constitute effective consent.

The EDSA does not see this as a clear affirmative act to ensure the legality of consent.

Update November 2020

The LfDI (state office for data protection and freedom of information) Lower Saxony audited 22 websites of 22 small companies with one or more websites by means of a questionnaire.

The supervisory authority commended that the operators have probably dealt intensively with the issue of cookies and cookie banners. Further results can be viewed here (only in German).

Futhermore, the LfDI published a handout (in German) for privacy compliant consent on websites – requirements for consent layers. In particular, the handout explains what requirements the consent must meet, at which point the consent must be obtained, and what information the consent banner must provide.

Allowed nudging

An exciting aspect of the handout is the discussion of the graphic design of consent banners. The so-called “nudging” is intended to move the user subconsciously to take action. The handout shows various examples and which variants are used in nudging.

If nudging is used by the controller with the aim of inducing the data subject to give consent, this may violate different legal requirements for consent under data protection law, depending on the specific design. What is certain is that there are limits to permitted nudging and behavior-manipulating designs can lead to invalidity of consent. is certain is that there are limits to permitted nudging and behavior-manipulating designs can lead to invalidity of consent.The State Data Protection Commissioner for Data Protection of Lower Saxony, Handout: Data protection-compliant consent on websites – requirements for consent layer
(November 2020)

Consent on the part of minors

It is recommended in the handout to refrain from using cookies/tools/plugins which require consent if the content is directed at children and minors.

However, if consent is required from minors under the age of 16, the site operator must ensure that this has been granted by their parents.

For this purpose, it is not sufficient, for example, that the button with which consent is to be given is not activated until the user first confirms that he is a parent by clicking a button. […]. However, an appropriate online identity verification procedure must be included on the website that offers a low probability of misuse.The State Data Protection Commissioner for Data Protection of Lower Saxony, Handout: Data protection-compliant consent on websites – requirements for consent layer (November 2020)

End of update

GDPR website check – content

We have now covered the biggest part. Now it’s about the content. Are these included on the website in a privacy compliant way?

Media

No page can do without embedded media — videos from YouTube, maps from Google or OpenStreetMap, to name just two examples.

As a rule, data is already transferred to the service provider when the page is loaded. This means that even before the website visitor watches the video, YouTube already knows that the user is currently visiting the page with the video.

Media should therefore be embedded in such a way that the content is loaded only during active viewing. The term “active viewing” just came to my mind. Ultimately, this means nothing else than an explicit indication from the user that they now want to view the video. Preferably by clicking on the object.

Newsletter

If a newsletter is offered, a few basic rules apply.

Ban on tying: You need to make sure that the newsletter is not tied to anything. Example: you offer a free document. The prospect is automatically on your newsletter list when they request the document or sign up for a free webinar. According to the GDPR, this would violate the tying prohibition.

Data protection compliant newsletter providers: Only use services from providers that are considered GDPR compliant. Enter into an order processing agreement with the provider.

Saving data when registering: For the newsletter dispatch, only the e-mail address is mandatory. Therefore, avoid further queries regarding personal data. If you want to ask about this type of information, make sure that this is voluntary.

Double Opt-in: The registration must be implemented in two steps. The interested party enters his email address. Next, he receives a confirmation email. In this email, he must click on the link provided. Only then he may be officially registered for the newsletter.

Note on privacy policy: In the registration form should be clearly recognizable what the data subject “receives”. Briefly describe your newsletter. Do you offer purely information or will you also send advertising? If advertising, only your own or also from third parties? Also refer to the privacy policy. In the privacy policy, the newsletter mailing must be described clearly. However, confirmation of this privacy policy is NOT necessary!

Forms

Data collected via forms is subject to being bound to a purpose. That is, it may first be used only for the purpose for which it was collected.
If you offer forms through which data subjects can contact you, you should note the following:

Data economy: As with newsletter registrations, it is important to only request data as a mandatory field which is mandatory for responding to the request. If you respond by e-mail, then the phone number should be an optional field at most.

Note on privacy policy: In the privacy policy you must describe the purpose of the form and provide other mandatory information according to GDPR Art. 13 on the procedure. From the procedure results the legality of the processing. As a rule, it can be argued regarding to request forms that it is a contractual or pre-contractual measure according to GDPR Art. 6 (1) lit. b. In this case, a reference to the privacy policy as in the case of newsletter sign-ups is sufficient.

Pictures of people

Are you using your own images on your website? Are there people depicted in the images? In this case, it is mandatory that you obtain consent to publish the images.
Respect it also if employees refuse to publish them.

GDPR website check – social media profile

This point is less about the website. Nevertheless, there is a connection from your social media profiles to your web presence.

For each profile you operate on social media, you need a notice in your privacy policy.

In addition, we recommend that you include a notice in the title or subtitle of the privacy policy. Explicitly show which social profiles this privacy policy also applies to.

On your social media profiles, again, reference your website’s privacy policy.

Create privacy statement

At this point, we have reached the end of the website check. Now we need a complete privacy policy and your website will be GDPR compliant.

I dedicate a separate post to the topic of creating a privacy policy. The effort required to create a privacy policy depends on whether you use many custom website extensions.

Conclusion: GDPR compliant website

Quickly checking a website for GDPR compliance on the side – that’s hardly possible. From our experience, the greatest effort lies in the analysis of the identified website extensions.

What is your experience with creating a privacy compliant website? How do you ensure that your website meets current requirements? Do you use any special tools or services? We’re curious. Do let us know in a comment.

Checklist for the für die GDPR compliant website

Checkliste for the GDPR compliant website Download (einfügen)

Finn Hillebrand has put together a great guide to creating a website in his post on Blogmojo. Click here for the article! (in German)

Help with website check

Need help checking your website or creating a complete privacy policy? We would be happy to assist you. Send us a no-obligation E-Mail.

Sources

European Data Protection Board: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_cons