In this blogpost, we reveal the Trackerdetect findings of monitoring the 33 websites of the European DPAs for 3rd parties, cookies, scripts, pixels and other tracking technologies.
Last week, we set up Trackerdetect to scan the homepages of the 33 websites of the European DPAs with the profile of a user that has not consented to any cookies.
Trackerdetect is a cloud SaaS that 4 times daily scans URLs with various end user profiles (to trigger profile triggered 3rd parties) from various scan locations (to trigger location triggered 3rd parties).
One would expect that the DPA websites would be GDPR and ePD compliant since the DPAs enforce the law and also in light of :
- the Fashion ID Case,
- the Planet49 Case,
- the ICO Guidance on the use of cookies and similar technologies,
- the CNIL Guidance on the use of cookies and similar technologies,
- the Spanish DPA fine for lack of cookie setting dashboard, and
- ICO asking people to report their concerns about specific cookies or similar technologies being used by websites.
Are the European DPA websites GDPR end ePD compliant?
Let´s have a look at the homepages of the 33 websites of the European DPAs.
We´ll start with the home page of the ICO website.
1) ICO homepage
Trackerdetect detected that ICO uses Google Cloud Platform:
Trackerdetect also detected - before the end user has consented - that Google Cloud Platform sets 2 scripts:
Trackerdetect also detected that the 2 scripts set by Google Cloud Platform are served from servers in the USA:
This can indicate that end user data are transferred to the USA.
Trackerdetect also detected that the home page of the ICO website has 6 iFrames embedded, and that in one iFrame, Google Cloud Platform runs directly in the iFrame:
This means that Google Cloud Platform controls that iFrame and can embed other 3rd parties in that iFrame.
Trackerdetect also detected that ICO sets 1 cookie, that is a session cookie for domain ico.org.uk and that will expire at the end of the browsing session:
Trackerdetect also detected 5 external resources on the page that Trackerdetect did not identify the resources to a specific service / tracker:
Trackerdetect also detected that the 5 external resources are served from servers in the USA:
This can indicate that end user data are transferred to the USA.
Trackerdetect shows the following graph of resources and 3rd parties on the ICO homepage:
In an earlier blog post, we have reviewed What’s (not) missing in ICO’s cookie banner?
2) AEPD homepage
Trackerdetect detected that AEPD uses Akamai Content Delivery Network:
Trackerdetect also detected - before the end user has consented - that Akamai Content Delivery Network sets 1 script that is served from a server in Europe:
Trackerdetect also detected that the home page of the AEPD website has 1 iFrame embedded. The Akamai Content Delivery Network runs directly in that iFrame:
Trackerdetect did not detect any cookies at the home page of the AEPD website:
Trackerdetect shows the following graph of resources and 3rd parties on the AEPD homepage:
In all, the home page of the AEPD website looks clean.
3) CNIL homepage
Trackerdetect did not detect any 3rd parties on the CNIL homepage:
Trackerdetect detected that CNIL on its homepage sets 2 cookies:
Trackerdetect also detected 1 iFrame embedded on the home page of the CNIL, and that iFrame is controlled by CNIL:
Trackerdetect shows the following graph of resources on the CNIL homepage:
4) EDPS homepage
Trackerdetect did not detect any 3rd parties on the EDPS homepage:
Trackerdetect detected that the EDPS on its homepage sets 1 cookie:
Trackerdetect also detected 1 iFrame embedded on the home page of the EDPS, and that iFrame is controlled by the EDPS:
Trackerdetect also detected 4 scripts and 2 images, all of which were served from servers in the EU:
Trackerdetect shows the following graph of resources on the EDPS homepage:
5) Slovenia DPA homepage
Trackerdetect did not detect any 3rd parties or cookies on the Slovenian DPA homepage:
6) Estonia DPA homepage
Trackerdetect detected two 3rd parties on the Estonia DPA homepage:
Trackerdetect detected that Google Cloud Platform sets a script on the Estonia DPA homepage, and that this script is served from the USA:
Trackerdetect detected that Siteimprove set a script on the Estonia DPA homepage, and that this script is served from the USA:
Trackerdetect also detected 1 iFrame embedded on the home page of the Estonia DPA, and in that iFrame Google Cloud Platform and Siteimprove run, and both can embed other 3rd parties in that iFrame:
Trackerdetect also detected 2 cookies on the home page of the Estonia DPA:
Trackerdetect shows the following graph of resources on the Estonia DPA homepage:
7) Swedish DPA homepage
Trackerdetect detected three 3rd parties on the Swedish DPA homepage:
Trackerdetect detected that Episerver sets a script on the Swedish DPA homepage, and that this script is served from the USA:
Trackerdetect detected that jQuery sets a script on the Swedish DPA homepage, and that this script is served from the USA:
Trackerdetect detected that ReadSpeaker sets a script on the Swedish DPA homepage, and that this script is served from the Netherlands:
Trackerdetect detected one iFrame embedded on the Swedish DPA homepage, and that in this iFrame, three 3rd parties run and can embed other 3rd parties:
Trackerdetect detected one session cookie on the Swedish DPA homepage:
8) Romania DPA homepage
Trackerdetect did not detect any 3rd parties on the Romanian DPA homepage, and detected one iFrame controlled by the the Romanian DPA homepage and one session cookie:
9) Cyprus DPA homepage
Trackerdetect detected one 3rd party, jQuery, on the Cyprus DPA homepage, and that jQuery sets 2 scripts which are served from the USA:
Trackerdetect detected one iFrame embedded on the Cyprus DPA homepage in which jQuery runs and can embed other 3rd parties:
Trackerdetect also detected another script on the Cyprus DPA homepage. The script is served from the USA:
Trackerdetect shows the following graph of resources and 3rd parties on the Cyprus DPA homepage:
10) Danish DPA homepage
Trackerdetect did not detect any 3rd parties on the Danish DPA homepage, and detected one iFrame controlled by the the Danish DPA homepage and two session cookies:
11) Bulgaria DPA homepage
Trackerdetect detected one 3rd party, Google Analytics, on the Bulgaria DPA homepage:
Trackerdetect detected that Google Analytics on the Bulgaria DPA homepage sets three permanent cookies, two session cookies, one script served from the USA and two images served from the USA:
Trackerdetect detected one iFrame embedded on the Bulgaria DPA homepage. That iFrame is controlled by Google Analytics who can embed other 3rd parties in that iFrame:
Trackerdetect detected seven cookies on the Bulgaria DPA homepage:
Trackerdetect detected another two cookies on the Bulgaria DPA homepage:
Trackerdetect shows the following graph of resources and 3rd parties on the Bulgaria DPA homepage:
12) Slovakia DPA homepage
Trackerdetect did not detect any 3rd parties on the Slovakia DPA homepage, and detected one iFrame controlled by the the Slovakia DPA homepage and one session cookie:
13) Lichtenstein DPA homepage
Trackerdetect detected one 3rd party, Matomo, on the Lichtenstein DPA homepage. Matomo sets two permanent cookies:
Trackerdetect detected one iFrame embedded in the Lichtenstein DPA homepage. Matomo runs in that iFrame and can embed other 3rd parties in that iFrame:
Trackerdetect detected two permanent cookies and one session cookie on the Lichtenstein DPA homepage:
Trackerdetect detected a script on the Lichtenstein DPA homepage. The script is served from a server in Lichtenstein:
14) Lithuania DPA homepage
Trackerdetect did not detect any 3rd parties on the Lithuania DPA homepage, and detected one iFrame controlled by the Lithuania DPA homepage and one session cookie:
15) Norwegian DPA homepage
Trackerdetect did not detect any 3rd parties on the Norwegian DPA homepage, and detected one iFrame controlled by the Norwegian DPA homepage and one session cookie:
16) Croatia DPA homepage
Trackerdetect detected four 3rd parties on the Croatian DPA homepage:
Trackerdetect detected that Google Cloud Platform uses a script on the Croatian DPA homepage. That script is served from a server in the USA:
Trackerdetect detected that YouTube on the Croatian DPA homepage uses two permanent cookies, two session cookies, three scripts and one iFrame. The script are served from a server in the USA:
Trackerdetect detected that DoubleClick on the Croatian DPA homepage uses one script. The script is served from a server in the USA:
Trackerdetect detected that Google on the Croatian DPA homepage uses one script. The script is served from a server in the USA:
Trackerdetect detected one iFrame embedded in the Croatian DPA homepage. Two 3rd parties run in that iFrame, both of which can embed other 3rd parties in that iFrame, which is done with three "child" 3rd parties that are pulled into the iFrame, and they are: DoubleClick, Google and YouTube:
Trackerdetect detected two session cookies and two permanent cookies on the Croatian DPA homepage:
Trackerdetect detected that the webpage server of the Croatian DPA is in Hungary:
Trackerdetect shows the following graph of 3rd parties and resources used on the Croatian DPA homepage:
17) Portugal DPA homepage
Trackerdetect neither detected any 3rd parties nor any cookies on the Portugal DPA homepage, and detected one iFrame controlled by the Portugal DPA homepage:
18) Greece DPA homepage
Trackerdetect did not detect any 3rd parties on the Greek DPA homepage, and detected one iFrame controlled by the Greek DPA homepage, and detected one session cookie:
19) Polish DPA homepage
Trackerdetect did not detect any 3rd parties on the Polish DPA homepage, and detected one iFrame controlled by the Polish DPA homepage, and detected two session cookies:
20) Hungary DPA homepage
Trackerdetect neither detected any 3rd parties on the Hungarian DPA homepage, nor detected any cookies on the Hungarian DPA homepage, and detected one iFrame controlled by the Hungarian DPA homepage:
21) Dutch DPA homepage
Trackerdetect did not detect any 3rd parties on the Dutch DPA homepage, and detected, and detected one iFrame controlled by the Dutch DPA homepage, and detected one session cookie on the Dutch DPA homepage:
22) Irish DPA homepage
Trackerdetect detected one 3rd parties, jQuery, on the Irish DPA homepage. jQuery uses one script on the Irish DPA homepage, and that script is served from a server in the USA:
Trackerdetect detected one iFrame embedded in Irish DPA homepage, and jQuery runs in that iFrame and can embed other 3rd parties:
Trackerdetect detected one session cookie on the Irish DPA homepage:
Trackerdetect detected one more script on the Irish DPA homepage, and that script is served from a server in the USA:
23) Czech Republic DPA homepage
Trackerdetect detected two 3rd parties on the Czech Republic DPA homepage:
Trackerdetect detected Gemius that sets 8 session cookies and 3 permanent cookies on the Czech Republic DPA homepage, and that Gemius uses one script on the on the Czech Republic DPA homepage, and that script is served from a server in the Czech Republic. Also, Gemius uses one iFrame on the Czech Republic DPA homepage, and that iFrame is served from France:
Trackerdetect detected one iFrame embedded in the Czech Republic DPA homepage. In that iFrame, Gemius and Google Analytics run directly and both can embed other 3rd parties into that iFrame, which is done in a "child" Frame:
Trackerdetect detected 11 cookies in the Czech Republic DPA homepage:
Trackerdetect shows the following graph of 3rd parties and resources on the Czech Republic DPA homepage:
24) Finnish DPA homepage
Trackerdetect detected two 3rd parties on the Finnish DPA homepage:
Trackerdetect detected Amazon Web Services that sets a permanent cookie on the Finnish DPA homepage:
Trackerdetect detected Twitter that sets an image on the Finnish DPA homepage. That image is served from a server in the USA:
Trackerdetect detected an iFrame embedded in the Finnish DPA homepage. In that iFrame, Amazon Web Services and Twitter rund directly and can embed other 3rd parties.
Trackerdetect detected seven cookies on the Finnish DPA homepage:
Trackerdetect detected another script used on the Finnish DPA homepage. That script is served from a server in the USA:
25) Belgian DPA homepage
Trackerdetect did not detect any 3rd parties on the Belgian DPA homepage. Trackerdetect detected one iFrame on the Belgian DPA homepage. That iFrame is controlled by the Belgian DPA homepage. Trackerdetect detected two session cookies and one permanent cookie on the Belgian DPA homepage:
26) Italian DPA homepage
Trackerdetect detected one 3rd party, ReadSpeaker, on the Italian DPA homepage. ReadSpeaker uses on the Italian DPA homepage 5 scripts, each of which are served from a server in the Netherlands:
Trackerdetect detected one iFrame embedded in the Italian DPA homepage. ReadSpeaker runs directly in that iFrame and can embed other 3rd parties in that iFrame:
Trackerdetect detected three session cookies on the Italian DPA homepage.
27) Latvian DPA homepage
Trackerdetect detected five 3rd parties on the Latvian DPA homepage:
Trackerdetect detected that AddThis sets 2 permanent cookies on the Latvian DPA homepage, and uses two scripts, each of which is served from a server in the Netherlands, and uses two iFrames, each of which is served from a server in the Netherlands:
Trackerdetect detected that Cookiebot sets two scripts on the Latvian DPA homepage, each of which is served from a server in the USA:
This can indicate that end users´consent event data are sent to the USA.
Trackerdetect detected that Google Cloud Platform uses 13 scripts on the Latvian DPA homepage, each of which is served from a server in the USA, and uses two images on the Latvian DPA homepage, each of which is served from a server in the USA:
Trackerdetect detected that one iFrame is embedded in the Latvian DPA homepage. In that iFrame, four 3rd parties run directly and can embed other 3rd parties in that iFrame, which is the case with four "child" 3rd parties:
Trackerdetect detected two permanent cookies on the Latvian DPA homepage:
Trackerdetect detected one Google image on the Latvian DPA homepage:
Trackerdetect shows the following graph of 3rd parties and resources on the Latvian DPA homepage:
28) Austrian DPA homepage
Trackerdetect detected one 3rd party, Matomo, on the Austrian DPA homepage. Matomo sets 2 permanent cookies on the Austrian DPA homepage:
Trackerdetect detected one iFrame embedded in the Austrian DPA homepage. In that iFrame, Matomo runs directly and can embed other 3rd parties:
Trackerdetect detected four permanent cookies and three session cookies on the Austrian DPA homepage:
Trackerdetect detected a script on the Austrian DPA homepage. That scripts is served from a server in Austria:
29) Malta DPA homepage
Trackerdetect detected one 3rd party, Google Analytics, on the Malta DPA homepage. Google Analytics sets one permanent cookie and three session cookies on the Malta DPA homepage:
Trackerdetect detected one iFrame embedded in the Malta DPA homepage. In that iFrame, Google Analytics runs directly and can embed other 3rd parties:
Trackerdetect detected four cookies on the Malta DPA homepage:
Trackerdetect detected an image on the Malta DPA homepage. That script is served from a server on Malta: