Legal Alert | Website auditing tool launched by EDPB

Developed in the context of the Support Pool of Experts (SPE) of the European Data Protection Board (EDPB) free and open-source software was launched providing an “easy to use” tool for data protection authorities (DPA) as well as for data controllers and processors wishing to test their websites for compliance.

On January 29, the European Data Protection Board (EDPB) launched a website auditing tool which is expected to help analyse existing websites for conformity with e-privacy provisions.

According to the launching information “[w]hile several website auditing tools already exist, these usually require technical expertise. Therefore, the EDPB decided to develop a solution that would be easy to use in order to facilitate enforcement by national DPAs and compliance checks by controllers”.

Compliance is focused on the rule resulting from the e-Privacy Directive, as contained in Member State transposition laws, according to which «the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user» – typically, but not necessarily, cookies – is only allowed on the basis of consent or necessity for specific purposes set out therein. [1]

At this point it is important to cross-refer to the very recently closed public consultation on the EDPB Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy (Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive) addressing the applicability of Article 5(3) of the ePrivacy Directive to different technical solutions (other than cookies) and aiming to provide a clear understanding of the technical operations covered by same provision, in view of the emergence of new tracking methods and the use, among others of URL and pixel tracking, tracking based on IP only, intermittent and mediated Internet of Things (IoT) reporting and unique or persistent identifiers.

Looking for trackers being used by websites

The tool «classifies data and generates reports regarding trackers that are being used by websites». [2]

It includes functionalities that allow overviewing of the personal data stored or transferred in or by the browser and, among others, analysing screenshot recording, cookie storing (classified by domain, name and potential purpose), key/value storing in each frame contained in the displayed webpage, checking use of use of SSL, existence of forms where data is transmitted through an unsecure communication (HTTP), listing of all known tracking pixels (Web Beacons) in the page and others.

Compliance assessment

Evidence is stored in the tool for later assessment of compliance with legal requirements. The tool aids with compliance assessment and analysis and supports in identifying the purposes of trackers found (by cross referring to knowledge base lists of known trackers and their corresponding purposes). Adding yet unknown trackers to a knowledge base for later assessment is also possible.

Inspection by DPA and self-auditing (own website) by data controller

Although, according to the user documentation available, this software «[…] is intended to be used to facilitate website inspections» (EDPB Website Auditing Tool), it is also perceived as a tool that will support data controllers to perform compliance checking in their own websites and may be used as such on a preventive approach towards website self-compliance assessment.

It comprises reporting functionalities and is structured to collect evidence. Again, this is also relevant to support self-auditing for website compliance.

We remain at your entire disposal for further clarification.

[1Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (as amended by Directive 2009/136/EC), better known as the ePrivacy Directive (Directive 2002/58).
In the case of Portugal, this was transposed by Law no. 41/2004, of August 18 (as subsequently amended), being covered by Article 5 of same law.
[2] User documentation on EDPB Website Auditing Tool.