Osano calculates the scores for each vendor based on 163 items in our ontology. These items belong in the following groupings, on each vendor in the system you can see how they scored in each specific grouping of questions. Although we do not share our ontology, we do share the groupings. They are as follows:
This section looks at whether users of a website have meaningful choices when it comes to the cookies used on a website. It also evaluates whether important information is provided to users before they make those choices about cookies.
This section evaluates whether there is anything strikingly out-of-the-ordinary about the organization’s privacy practices or policies.
GDPR Statement, Accessibility
This section examines how an organization tells users about how it is handing its obligations under the GDPR. It looks at the availability of pertinent GDPR information from the user’s perspective.
GDPR Statement, Choice
This section looks at how-- and if-- an organization gives users choices in terms of how their personal data is collected and used and what choices, if any, are available to users.
GDPR Statement, Enforcement
This section looks at the measures an organization takes in order to demonstrate its compliance with the GDPR. It also evaluates how the company holds itself accountable for GDPR compliance.
GDPR Statement, Notification
This section looks at how an organization notifies its users about its data processing activities. It also looks at whether the organization notifies users about various data processing activities it may engage in.
GDPR Statement, Identification
This section evaluates how an organization represents its role and its obligations when it comes to GDPR compliance. It looks at how the organization identifies itself for GDPR purposes and holds itself out to regulators.
GDPR Statement, Notice
This section looks at whether the organization gives users adequate notice with regards to how their personal data is collected and used. It also looks at how the organization gives notice to users about whether and how personal data is shared with other entities.
GDPR Statement, Rights and Obligations
This section evaluates how an organization makes users aware of their rights regarding personal data under the GDPR. It also looks at the company’s process for allowing data subjects to exercise those rights.
This section evaluates how accessible an organization’s privacy practices are to average users. It looks at whether users can access the information related to privacy from an organization’s website and whether that information can be readily understood by an average user.
This section looks at what choices are available to users of an organization’s website when it comes to their personal information. It looks at whether users are able to opt out of the organization’s using their personal information for any reason.
This section evaluates how an organization holds itself accountable for its privacy practices. It considers how the organization adheres to standard best practices with regard to general privacy practices.
This section evaluates how an organization provides notice to its users regarding its data privacy practices. It looks at what the organization tells its users about what types of information are collected and how the organization uses that information.
This section looks at how the organization’s privacy documents tell users about their rights regarding their personal information. It also looks at the organization’s obligations to individuals who exercise those rights and its duties under applicable laws.
Security Statement, Administrative Security
This section analyzes the specific administrative security measures an organization has taken and controls it has implemented to protect any personal information it uses or holds.
Security Statement, Certification
This section evaluates any compliance certifications that an organization says it holds.
Security Statement, Enforcement, and Accountability
This section looks at the external and internal ways that an organization validates its security practices and holds itself accountable for adhering to those security practices.
Security Statement, Operational Security
This section evaluates the specific operational security measures an organization has implemented to protect any personal information it uses or holds.
Security Statement, Physical Security
This section evaluates the specific physical security measures an organization has implemented to protect any personal information it uses or holds.
Security Statement, Product Security
This section evaluates the security measures the organization has implemented specifically to any of its products.