This document presents an overview of Didomi's Compliance Report: what we analyze, how our bot gathers data and how we classify each type of tracker/vendor.
Please note that our Compliance Report is meant as a guide to be used in further consultations with your own DPO and legal team.
What is the Compliance Report ?
The Compliance Report is a tool found inside the Didomi console which provides our clients with a compliance evaluation from Didomi's perspective.
The main benefits of the Compliance Report are the Didomi rating (from 0 to 4 stars) and our recommendations, where you will find suggestions on how to increase your compliance score.
The Compliance Report should in no way be considered as a substitute for a legal advice, and report findings should be shared with your DPO before taking any action. For more detailed compliance findings, we recommend our Advanced Compliance Monitoring module. Please contact your account manager for more information.
How it works
Our Compliance Report follows a three-step process:
1. Bot navigation of a specific website to gather information
2. Data analysis
3. Report creation
1. Bot navigation
Our bot automatically visits a website and, according to the parameters set in the "Add Domain" page, performs what is known as a "scraping session". The maximum number of pages scanned during a single session is 20. This number has been defined by our experts as sufficient to gather conclusive data for the report. Within a session, the bot collects information about the trackers dropped and vendors triggered on that specific website.
2. Data analysis
Once the information regarding trackers and vendors is collected, we convert this to a human-readable form. This means that we map trackers to their type. In the case of vendors, we try to match them with vendor information stored in our databases in order to give you as much clarity as possible as to their origin and purpose.
There are three types of trackers:
1. Cookies - HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on a computer or other device by the user's web browser. More than one cookie may be placed on a device during a session. Cookies will expire based on their settings.
2. Pixels - a tracking pixel is an HTML code snippet which is loaded when a user visits a website or opens an email. Pixels are useful for tracking user behaviour and conversions.
3. Local storage - this is a type of web storage that allows you to access a local storage object and store data in the browser with no expiration date. This means the data stored in the browser will persist even after the browser window has been closed.
Trackers 1st/3rd party
Trackers can also be categorised into "first party" and "third party". This will depend on which entity has triggered the dropping of the tracker. If the website itself is dropping a tracker, this will be counted as first party. If the tracker is dropped by a vendor it will be counted as third party. Keep in mind that cookies can be created by a vendor (initiator) but still be dropped by the website itself (for example, when using a tag manager.) In this case, the tracker is considered first party.
We evaluate each vendor triggered on a website, assigning it both a category and a Trust Index value. Vendors are currently classified based on whether or not they are part of the IAB TCF v2.0 list.
3. Report creation
The following steps are part of report creation:
- Data aggregation
- Mapping of trackers to initiators
- Calculation of number of requests to/from each vendor
- Computation of recommendations
- Calculation of Didomi score
We then present the information in the Didomi console accordingly:
A table containing all trackers dropped and all relevant information computed. This includes the type of the tracker and the vendor that triggered it.
This section includes two vendor views: table and graph. The table features all vendors known to our database, whereas the graph includes all vendors and their chaining.
The graph view makes it easier to identify all third-party vendors triggered, as well as those responsible for their triggering. Bear in mind that vendors have the possibility to tag another vendor. If this is the case (i.e., a vendor that is not supposed to appear is in fact being triggered by a third-party) the triggering party should be contacted.
Didomi provides a list of action items that we consider important from a GDPR perspective. Please note that this is our interpretation and our recommendations should be used only as a starting point for discussions with your DPO before taking any action. The following are a list of possible recommendations that could be generated, as well an explanation for each.
- No consent notice was detected on the website.
- The consent notice does not provide information about purposes and vendors.
- N trackers have a lifetime longer than 13 months, which is not recommended by GDPR: to delete cookies with a lifetime exceeding 13 months, you can either ask your vendor to reduce the lifetime of the cookie, or ask the vendor how to delete it completely. For more information, we encourage you to read this article. To learn more about configuring the lifetime of a Google cookie, here is the documentation.
- N trackers have been triggered by vendors from countries that are not GDPR-adequate or that do not have a privacy law.
- N vendors have a very low trust index, which could compromise your reputation.
- N vendors or initiators are unknown to our database Review them to be sure they are legitimate: it is possible that the vendor is unknown in our database. If you do know the vendor, you can "forget" this warning message
- You are not honoring user choices.
Using the Compliance Report
The Compliance Report should be used as a tool for guidance, and not as a compliance validator. It offers insight into how your website behaves when accessed, as well as validation that vendors and trackers are also being triggered as expected.
Our recommendations also provide Didomi's own approach to good website "housekeeping" from a compliance point of view. We emphasise that these are only suggestions and neither mandatory actions nor reassurance that your compliance requirements are being met.
Please also note that the bot can also give rise to false positives/negatives. As such, the only way to ensure your website's compliance is by validating that all requirements are met jointly with your DPO.
- When consent is denied
- Before a user makes a consent choice