Compliance report overview
Access Type: Compliance Report - Viewer or Editor
The Didomi compliance report is an audit tool that enables your organization to review the compliance of your domain in regards to GDPR regulations. It offers insight into how your website behaves when accessed, as well as validation that vendors and trackers are also being triggered as expected.
In this article, we provide an overview of the data included in the following tabs of the compliance report:
Navigate to a compliance report by clicking Compliance Report on the left-hand panel and selecting Details inline with a domain on the subsequent page.
Note: Additional information is included in the compliance report for organizations who have Advanced Compliance Monitoring (ACM). Click here for more information.
Didomi rating
The Didomi rating is a custom assessment made by Didomi that evaluates the domain based on a variety of factors such as:
number of trackers dropped despite refusal
number of vendors triggered despite refusal
presence of a CMP
presence of a privacy policy
using security tools
The above factors are given a specific weight in the calculation and produces a score from 0 to 100. This score is then represented in the Didomi Rating as 0 to 4 stars.
Trackers
Click the Trackers tab to review data on the trackers discovered on the domain for the compliance report.
The data on the trackers tab can be filtered by the following parameters:
Type
There are four types of trackers:
Cookie - Small block of data placed on the end-user's device while. Cookies will expire based on their settings.
Pixel - an HTML code snippet which is loaded when an end-user visits a website or opens an email. Pixels are useful for tracking end-user behavior and conversions.
Web storage - Enables a party to access a local storage object and store data in the browser with no expiration date. Data stored in the browser will persist even after the browser window has been closed.
Indexed DB - Client-side storage mechanism within web browsers, designed to allow web applications to store large amounts of structured data locally on the user's device for offline functionality and performance enhancements
1st/3rd-party
Trackers can be categorized into 1st-party or 3rd-party depending on which entity has triggered the dropping of the tracker. If the website itself is dropping a tracker then it will be counted as a 1st-party tracker. A tracker dropped by a vendor will be counted as a 3rd-party tracker. Note: Cookies can be created by a vendor (initiator) but still be dropped by the website itself (e.g. tag managers). In this case, the tracker is considered a 1st-party tracker.
Lifetime
Lifetime of the tracker before it expires.
Exemption
If the tracker is configured as consent-exempt in the tracker policy for the domain
For each tracker dropped on the domain in the compliance report Didomi will provide the following information:
Note: The difference between a vendor and initiator is that:
Vendor - requests a tracker to be launched. They have has access to the data and are responsible of the data treatment
Initiator - the party that is technically called by the Vendor to launch the tracker
Tracker name
Name of the tracker as found on the domain
Domain
Domain of the tracker
1st/3rd party
Indicates whether the tracker is categorized as a 1st-party or 3rd-party tracker. See filter table above for more information.
Initiator
Initiator of the tracker
Vendor
Name of the initiator that launched the tracker
Type
Indicates whether the tracker is a cookie, pixel, web storage, or Indexed DB. See filter table above for more information.
Lifetime
Lifetime of the tracker before it expires
Flagged cookies
Icons indicate if the tracker meets one of the following criteria:
Non-secure: Cookies must declare whether they are secure or non-secure within their values. If there is no secure flag, then the cookie is not encrypted. If the cookie is secure, the cookie's confidentiality is protected from attackers. For cookies that store sensitive or personal information it is recommended at a minimum that secure cookies are used.
Persistent: Stores information in the end-user’s browser for a long time.
Large: (> 100 bytes)
Purposes
Purposes mapped to the tracker in the tracker policy for the domain
Exemptions
Indicates if the tracker is configured as consent-exempt in the tracker policy for the domain
Vendors
Click the Vendors tab to review data on the vendors discovered on the domain for the compliance report.
The data on the vendors tab can be filtered by the following parameters:
TCF/Non-TCF
Filters list of vendors into either:
Vendors who belong to the IAB Transparency and Consent Framework (TCF)
Vendors who do not belong to the IAB Transparency and Consent Framework (TCF)
Processing rule
The legal bases used by vendor
For each vendor discovered on the domain in the compliance report Didomi will provide the following information:
Name
Name of the vendor
TCF ID
If vendor is a member of the IAB TCF then Didomi will display the vendor's IAB TCF ID.
Processing rule
Legal base used by the vendor
Requests for tags
Number of requests that the vendor has performed
Additional information for a particular vendor can be viewed by clicking the name of the vendor from the list. A subsequent modal will provide the following information for the vendor:
Whether vendor is a member of the IAB TCF
Privacy policy
Domains owned by the vendor according to the Didomi database
Trackers dropped by the vendor on your domain
Vendors who requested this particular vendor
Vendors who were initiated by this particular vendor
In addition to the table view of vendors found on the domain, Didomi also provides an interactive graph that visualizes how vendors are being requested on the domain. Select any vendor on the graph to highlight how it is called on your domain and which vendors it subsequently calls on your domain.
Compliance issues
For every compliance report generated on a domain Didomi will catalogue any potential problems as it pertains to GDPR compliance in the Compliance issues tab of the report. These issues and recommendations are based on Didomi's extensive knowledge of the data privacy landscape but should not be taken as legal advice. Rather, use the catalogued issues and recommendations as a starting point with your Data Protection Officer (DPO) before taking any action.
Click the Compliance issues tab to review the issues catalogued for the compliance report.
Expand the accordion for certain compliance issues for more detailed information.
Review the table for the issues and recommendations Didomi can raise within a compliance report:
The Privacy Policy is not accessible from every page of the website
Didomi bot was unable to access your organization's privacy policy on at least one page for the domain.
Note: This issue does not mean the privacy policy does not exist on the page but that the bot was unable to detect it during the scraping session. This issue can arise from how your privacy policy is worded.
No CMP was detected on the website
Didomi bot did not encounter a consent management platform (CMP) to provide end-user consent.
The privacy policy does not seem to provide a way to opt out
Didomi bot was unable to find a link/button in the privacy policy that allows an end-user to manage their consent preferences.
The consent notice doesn’t provide information about purposes and vendors
Didomi bot unable to find information about vendors and purposes your organization uses to process end-user data in the consent notice.
Number of trackers that have lifetime longer than 13 months which is not recommended by GDPR
Didomi bot discovered cookies dropped on domain with lifetimes exceeding 13 months. Ask the vendor dropping the cookies to reduce the lifetime of the cookie to to delete it completely. Click here to learn more.
Number of vendors or initiators that are unknown to our database, review them to be sure they are legit
Vendor or initiator found on domain is not known in the Didomi database. Avoid this issue in future compliance reports by manually matching the vendor. Click here for more information.
A Cookie Policy wasn’t found
Didomi bot unable to find cookie policy on domain.
There are additional issues and recommendations Didomi can surface for organizations utilizing Advanced Compliance Monitoring (ACM). Click here for more information.
Last updated