Vendor Scoring Criteria

Osano calculates the scores for each vendor based on 163 items in our ontology. These items are grouped in the categories listed on this page. You can see how each vendor scored in each category. 

Cookie Policy, Choice

This section looks at whether users of a website have meaningful choices when it comes to the cookies used on a website.  It also evaluates whether important information is provided to users before they make those choices about cookies.

Cookie Policy, Enforcement

This section considers how an organization complies with its own cookie policy and what it tells users about its use of cookies.

Cookie Policy, Notice, and Disclosure

This section looks at whether an organization provides adequate notice to users about its use of cookies. It also considers if and how the website discloses its use of cookies to users. 

Follow Up

This section evaluates whether there is anything strikingly out-of-the-ordinary about the organization’s privacy practices or policies. 

GDPR Statement, Accessibility

This section examines how an organization tells users about how it is handing its obligations under the GDPR.  It looks at the availability of pertinent GDPR information from the user’s perspective.

GDPR Statement, Choice

This section looks at how-- and if-- an organization gives users choices in terms of how their personal data is collected and used and what choices, if any, are available to users.

GDPR Statement, Enforcement

This section looks at the measures an organization takes in order to demonstrate its compliance with the GDPR. It also evaluates how the company holds itself accountable for GDPR compliance. 

GDPR Statement, Notification

This section looks at how an organization notifies its users about its data processing activities. It also looks at whether the organization notifies users about various data processing activities it may engage in. 

GDPR Statement, Identification

This section evaluates how an organization represents its role and its obligations when it comes to GDPR compliance.  It looks at how the organization identifies itself for GDPR purposes and holds itself out to regulators. 

GDPR Statement, Notice

This section looks at whether the organization gives users adequate notice with regards to how their personal data is collected and used.  It also looks at how the organization gives notice to users about whether and how personal data is shared with other entities. 

GDPR Statement, Rights and Obligations

This section evaluates how an organization makes users aware of their rights regarding personal data under the GDPR.  It also looks at the company’s process for allowing data subjects to exercise those rights.

Privacy Policy, Accessibility

This section evaluates how accessible an organization’s privacy practices are to average users.  It looks at whether users can access the information related to privacy from an organization’s website and whether that information can be readily understood by an average user. 

Privacy Policy, Choice

This section looks at what choices are available to users of an organization’s website when it comes to their personal information. It looks at whether users are able to opt out of the organization’s using their personal information for any reason. 

Privacy Policy, Enforcement, and Accountability

This section evaluates how an organization holds itself accountable for its privacy practices.  It considers how the organization adheres to standard best practices with regard to general privacy practices. 

Privacy Policy, Notice

This section evaluates how an organization provides notice to its users regarding its data privacy practices. It looks at what the organization tells its users about what types of information are collected and how the organization uses that information. 

Privacy Policy, Rights, and Obligations

This section looks at how the organization’s privacy documents tell users about their rights regarding their personal information.  It also looks at the organization’s obligations to individuals who exercise those rights and its duties under applicable laws.

Privacy Policy, Security

This section looks at whether an organization’s privacy documents disclose the security measures the organization has implemented if any.  It looks at how the privacy policy and other documents explain the measures the organization takes to protect the personal information it collects, holds, and uses. 

Security Statement, Administrative Security

This section analyzes the specific administrative security measures an organization has taken and controls it has implemented to protect any personal information it uses or holds. 

Security Statement, Certification

This section evaluates any compliance certifications that an organization says it holds.

Security Statement, Enforcement, and Accountability

This section looks at the external and internal ways that an organization validates its security practices and holds itself accountable for adhering to those security practices.

Security Statement, Operational Security 

This section evaluates the specific operational security measures an organization has implemented to protect any personal information it uses or holds. 

Security Statement, Physical Security

This section evaluates the specific physical security measures an organization has implemented to protect any personal information it uses or holds. 

Security Statement, Product Security

This section evaluates the security measures the organization has implemented specifically to any of its products.