Better understand which factors affect each component of a vendor privacy score and how scores can be improved.
Cookie Policy, Choice
Do users of a website have meaningful choices when it comes to the cookies used on a website? Is important information provided to users before they make those choices about cookies?
- Users should be informed about how they can opt out of or disable non-essential cookies and how to opt out of tracking.
Cookie Policy, Enforcement
How does the organization comply with its own cookie policy? What does it tell users about its use of cookies?
- The cookie policy should be maintained for accuracy, reviewed periodically, and updated as necessary.
Cookie Policy, Notice and Disclosure
Does the organization provide adequate notice to users about its use of cookies? Does the website disclose its use of cookies to users? If so, how?
- The cookie policy should be conspicuous, thorough, and easy to understand. It should provide details about the cookies being used, their purpose, and what sort of consent is being requested.
Follow Up
Is anything strikingly out-of-the-ordinary about the organization’s privacy practices or policies?
GDPR Statement, Accessibility
What does the organization tell users about how it handles its global privacy obligations using the GDPR as a baseline? This section looks at the availability of pertinent privacy information for transparency in data processing from the user’s perspective.
- The GDPR statement should be easy to find, easy to understand, and complete.
GDPR Statement, Choice
Does the organization give users choices about how their personal data is collected and used and what choices, if any, are available to users?
- Users should be informed as to how they can exercise their rights under GDPR.
GDPR Statement, Enforcement
What measures does the organization take in order to demonstrate its compliance with the GDPR? How does the company hold itself accountable for GDPR compliance?
- The GDPR statement should define which entities are responsible for enforcement of GDPR regulations.
GDPR Statement, Notification
How does the organization notify its users about its data processing activities? Does the organization notify users about various data processing activities it may engage in?
- The organization's GDPR statement should be easy to find on the website.
- The GDPR statement should be easy to understand.
GDPR Statement, Identification
How does the organization represent its role and its obligations when it comes to privacy compliance? How does the organization identify itself for GDPR purposes and hold itself out to regulators?
- Users should be able to identify whether personal data is collected and the roles of the respective parties (i.e., whether acting as a processor or controller).
GDPR Statement, Notice
Does the organization give users adequate notice with regards to how their personal data is collected and used? How does the organization give notice to users about whether and how personal data is shared with other entities?
- Users should be provided details about high-risk uses of their data.
- Users should be able to understand the legal basis under which the data is being processed.
- Users should be made aware of any transfers of data to other entities or regions.
Subject Rights and Obligations
How does the organization make users aware of their rights regarding personal data, using GDPR as a baseline? What is the company’s process for allowing data subjects to exercise those rights?
- Users should be informed of how they may opt out of data collection.
- Users should be informed of how they may exercise their rights, including the rights to correct, delete, transfer, or restrict or withdraw consent from use of their personal data.
Privacy Policy, Accessibility
Are the organization’s privacy practices accessible to average users? Can users access information related to privacy from an organization’s website and can that information be readily understood by an average user?
- An organization’s privacy policy should be easy to find and easy to understand.
Privacy Policy, Choice
What choices are available to users of the organization’s website when it comes to their personal information? Are users able to opt out of the organization’s use of their personal information for any reason?
- The privacy policy should detail that consent is required for sharing of personal information and how the user may revoke consent.
- The privacy policy should detail all uses of personal data.
Privacy Policy, Enforcement and Accountability
How does the organization hold itself accountable for its privacy practices? How does the organization adhere to standard best practices with regard to general privacy practices?
- The organization should clearly detail how it holds itself accountable to enforce its privacy policy.
- The privacy policy should detail which laws and regulations the organization complies with.
- The privacy policy should be maintained for accuracy, reviewed periodically, and updated as necessary.
- Users should be given information about how they can raise questions or complaints.
Privacy Policy, Notice
Does the organization provide notice to its users regarding its data privacy practices? What does the organization tell its users about what types of information are collected and how the organization uses that information?
- The policy should disclose what types of data are collected and how.
- The policy should detail if data is sold or shared.
- The policy should describe what sort of consent is requested in order to collect personal data.
Privacy Policy, Rights and Obligations
What do the organization’s privacy documents tell users about their rights regarding their personal information? What are the organization’s obligations to individuals who exercise those rights and its duties under applicable laws?
- Users should be informed of how they may exercise their rights to correct, delete, transfer, or restrict or withdraw consent from use of their personal data.
Privacy Policy, Security
Do the organization’s privacy documents disclose the security measures it has implemented? How do the privacy policy and other documents explain the measures the organization takes to protect the personal information it collects, holds, and uses? If security information is not easy to locate, or navigate to, this may result in a lower score in these sections.
- The privacy policy should detail what measures are in place to secure users’ personal information.
Security Statement, Administrative Security
What specific administrative security measures has the organization taken and what controls has it implemented to protect any personal information it uses or holds?
- The security statement should detail what measures are taken to safeguard the organization’s data, including any administrative security policies such as training or personnel screening.
Security Statement, Certification
Does the organization say it holds any compliance certifications?
- The security statement should detail which third-party security certifications the organization holds.
Security Statement, Enforcement and Accountability
By what external and internal mechanisms does the organization validate its security practices and holds itself accountable for adhering to those security practices?
- The security statement should detail any testing and third-party auditing that the organization conducts.
Security Statement, Operational Security
What specific operational security measures has the organization implemented to protect any personal information it uses or holds?
Security Statement, Physical Security
What specific physical security measures has the organization implemented to protect any personal information it uses or holds?
- The security statement should detail what physical security measures are in place at the organization.