Search
Close this search box.

Why online privacy testing tools are not accurate

There are several websites, such as https://2gdpr.com/ and https://cookiebot.com, where you can do an online test to see if your WordPress website and cookie management system is compliant with the GDPR. Sometimes these websites give back a negative result, mostly if analytics cookies are being loaded before the visitor can give permission.

GEO IP and Guidelines per Region

Before explaining why this happens, you need to know that the Complianz GDPR/CCPA plugin works with GEO IP. That means the plugin dynamically uses the cookie laws and DPA opinions from the website visitor’s region.

So if the user’s region is United Kingdom (https://complianz.io/brexit-and-gdpr-the-new-ico-guidance-pecr/), consent is always asked for statistical and tracking cookies. In the Netherlands and France, however, first-party analytics and anonymous statistical cookies are allowed without asking for consent. Still, according to the German DPA, anonymous first-party cookies from Google Analytics are always forbidden unless you ask for consent from the German visitor (https://complianz.io/google-analytics/).

The Complianz plugin changes the banner, the legal documents, and the cookies it blocks based on where the actual visitors come from. This is a unique feature. For visitors from the United States, Complianz shows an opt-out banner and places all the cookies at once, in Canada the plugin follows the PIPEDA rules (https://complianz.io/canada-casl-and-pipeda/). In India, there is no regulation specifically governing the use of cookies, so a visitor from that region would not see a cookie banner at all!

About Online Tests

Now back to explaining why online testers such as 2gdpr sometimes come to the wrong conclusions. There can be many reasons for that. To name just a few:

1. Online testers do not work region-based.

They only use one set of rules, so there is no room for legal or regional exceptions. The cookies most testers find are from Google Analytics and Hotjar. Both services can be configured (by using the DPA guidelines) in a way that the data collected is considered to be anonymous. In most EU regions, it is allowed to load these before the visitor can give permission. Also, the draft e-Privacy Regulation does mention this as a valid use of cookies.

2. Some online testers have their servers based in non-regulated regions

For example: India, where there are no cookie laws, which influences the results when testing a website and plugin that uses GEO IP. Complianz thinks the visitor comes from that region and does not (by default) block the cookies or show a banner to that Indian visitor, as is expected behavior.

3. Uncontrollable & Unrecognizable

It is also possible that a website uses a plugin that places cookies in ways that a cookie management system can not detect and/or block before consent. If this is the case, the website owner should consider deleting the plugin or ask the plugin developer to implement the WP Consent API. As an alternative, it is always possible to use the cookieshredder in Complianz. 

4. Cookies that are placed in the admin area

Some online scanners do not differentiate between cookies placed on the visitor’s device and cookies that are only placed on the device of the website admin while being logged in.  Usually, those cookies are indeed not being blocked by a CMP because that would possibly break certain admin functionality.

Join 1M+ users and install The Privacy Suite for WordPress locally, automated or fully customized, and access our awesome support if you need any help!

Complianz has received its Google CMP Certification to conform to requirements for publishers using Google advertising products.