Vendor Score Recommendations

  • Updated

This guide details the considerations that go into scoring privacy vendors, providing a brief summary of key evaluation criteria.

Cookie Policy

Choice

  • Does the website provide meaningful choices about cookie usage?
  • Is essential information shared with users before they make cookie-related choices?
  • Users should be informed on how to opt out of non-essential cookies and tracking.

Enforcement

  • How does the organization ensure adherence to its cookie policy?
  • How is this policy communicated to users?
  • The cookie policy should be maintained for accuracy, reviewed regularly, and updated as needed.

Notice and Disclosure

  • Does the organization adequately inform users about its use of cookies? How is this disclosed?
  • The cookie policy should be clear, thorough, and easy to find.
  • It should detail the cookies used, their purpose, and the type of consent required.

Follow-Up

  • Are there any unusual or concerning aspects in the organization's privacy practices?

GDPR Statement

Accessibility

  • How accessible is the organization’s GDPR statement for users seeking transparency about data processing?
  • The GDPR statement should be easy to locate, understand, and comprehensive.

Choice

  • Does the organization offer users choices regarding the collection and use of their data?
  • Users should be informed about how they can exercise their rights under GDPR.

Enforcement

  • What actions does the organization take to demonstrate GDPR compliance?
  • How is accountability for GDPR adherence ensured?
  • Entities responsible for GDPR enforcement should be clearly defined.

Notification

  • How does the organization notify users about data processing activities?

  • The GDPR statement should be easy to find and understand.

Identification

  • How does the organization clarify its role in data processing for GDPR purposes?
  • Users should be able to identify whether data is collected and understand the organization's role (processor or controller).

Notice

  • How are users informed about data collection and usage practices?
  • Details about high-risk data uses should be provided.
  • The legal basis for data processing should be clarified.
  • Users should be informed about data transfers to other entities or regions.

Subject Rights and Obligations

  • How does the organization enable users to exercise their GDPR rights?
  • Users should be informed on how to opt out of data collection.
  • The process to correct, delete, transfer, or restrict data, or withdraw consent, should be clearly explained.

Privacy Policy

Accessibility

  • Is the privacy policy easy for users to find and understand?
  • The policy should be clearly accessible and straightforward.

Choice

  • What choices are available to users regarding their personal information?
  • Consent requirements for sharing information and revocation methods should be detailed.
  • All uses of personal data should be listed.

Enforcement and Accountability

  • How does the organization enforce its privacy policies and uphold best practices?
  • Accountability mechanisms and applicable regulations should be explained.
  • The policy should be kept accurate and updated.
  • Information on how to raise questions or complaints should be provided.

Notice

  • How does the organization notify users about its data privacy practices?
  • The policy should disclose the types of data collected and how it's gathered.
  • Clarify if data is sold or shared.
  • Describe the consent process for data collection.

Rights and Obligations

  • How does the organization inform users of their privacy rights and responsibilities?
  • Clearly outline how users can exercise their rights (e.g., to correct, delete, or transfer data).

Security

  • What security measures are in place to protect user data?
  • Detail security measures and procedures in the privacy policy.

Security Statement

Administrative Security

  • What administrative measures are used to safeguard data?
  • Detail training programs, personnel screening, and security protocols.

Certification

  • Does the organization hold any security certifications?
  • List all third-party security certifications held.

Enforcement and Accountability

  • How does the organization validate its security practices?
  • Detail internal testing and external audits.

Operational Security

  • What operational security measures are in place?
  • Describe processes and controls ensuring operational security.

Physical Security

  • How is physical security maintained to protect personal information?
  • Detail facility security measures and protocols.

Product Security

  • What security protocols are applied to the organization’s products or services?
  • Describe specific security features integrated into products and services.