Websites change and evolve frequently, so how can organisations ensure their sites stay on the right side of privacy regulations? Regular audits can help them achieve this goal – and the European Data Protection Board (EDPB) provides a free tool to do just that. I will share firsthand findings from an in-depth test, to determine how useful the tool is in practice.

The EDPB website auditing tool, or WAT, is intended for data controllers and processors who want to test their websites against legal requirements of the EU GDPR and the ePrivacy Directive. We wanted to assess the WAT’s effectiveness in detecting privacy compliance issues, identifying non-compliant website practices, and its use in data protection impact assessments and consent management.

Identifying unknown privacy risks

The tool is free to download from the EU website and is available in five languages. The EDPB says it can help to identify potential unknown risks such as unintentionally set cookies; trust and transparency with website visitors; and improved website performance.

A core function of the tool is assessing whether websites have a valid cookie consent mechanism that respects a user’s consent preferences on repeated visits. Rejecting a non-essential cookie is as easy as accepting them. For each of these scenarios, the tool collects the cookies and external sources that a site loads, and it uses this information to form a report. The user of the tool can then test out different banner and consent box options, to inspect how the user experience changes. In assessing various consent box options, the tool allows for easy verification that all the cookies are correctly categorised. This ensures that no unnecessary cookie is loaded without the user’s permission.

How we tested the tool

An easy test for the tool’s capabilities is to request a specific URL for the tool to access. We used our own website, https://bhconsulting.ie/, which has a cookie banner offering two options for consent: ‘Accept All’ and ‘Reject All’.

There are three scenarios we need to assess. When a visitor chooses ‘Accept All’, the tool needs to review all the scripts, resources and cookies that are loaded. When someone clicks the option to ‘Reject All’, the tool needs to review what happens. In cases where the visitor does not interact with the cookie banner (and therefore are not giving consent), it’s important to see if any cookies, resources or scripts are loaded.

The tool accesses that URL, and collects data based on the chosen consent option. In this scenario, we chose ‘Accept All’ cookies. When assessing the website scenarios, it’s useful to label each scenario as: compliant, not compliant, or indeterminate. This ability also translates to the labelling of specific cookies that are set by a website as well. If the tool finds a site is using third party advertising cookies when the visitor chooses ‘Reject All’, that would be in violation of the GDPR and ePrivacy directive.

Comparison test with Mozilla Observatory

To gain more detailed insights, we also compared EDPB WAT and Mozilla Observatory, which provides web applications assessments so developers, system administrators, and security professionals can configure their sites safely and securely.

We found the two tools have distinct yet complementary roles in website auditing. EDPB WAT is more focused on privacy compliance, particularly for GDPR and ePrivacy Directive requirements. It effectively detects and categorises cookies, trackers, and third-party requests, ensuring transparency and lawful data processing. In our test, the tool identified 11 cookies and 19 web beacons on the BH Consulting website, including services like Google Tag Manager, HubSpot, and Cookiebot. These findings are critical for assessing compliance with GDPR Article 7 (consent) and Article 30 (Records of Processing Activities).

In addition, the tool’s ability to detect local storage usage, such as a key stored by www.google.com, further demonstrates its thoroughness in identifying hidden tracking mechanisms.

In contrast, Mozilla Observatory focuses on technical security, analysing security headers like CSP and HSTS to protect against web vulnerabilities. However, it lacks privacy-specific features, such as evaluating cookie consent or tracking activities, making it less suitable for GDPR compliance. The EDPB WAT’s manual evaluation process, while more time-consuming, provides tailored insights into compliance issues, whereas Mozilla’s automatic scoring offers a quick but less detailed security overview.

Key findings: strengths and limitations

WAT offers a structured approach to auditing compliance. The user-friendly approach makes it accessible to both technical and non-technical users allowing for efficient privacy audits. The cross-tool compatibility and export of analysis data enhances its usability in an organisational setting. And finally, there’s no licensing cost.

Small businesses with limited compliance resources can benefit from WAT’s open-source nature, cost-effectiveness and ease of implementation. Cookie categorisation, consent management and third-party request monitoring is essential to ensure compliance with GDPR and ePrivacy directive regulations.

Large enterprises with more complex data processing activities require a more robust compliance approach. Apart from integrating EDPB WAT into DPIAs, ROPA and compliance tasks, there are additional tools such as EDPS’ website evidence collector which allows auditors to import and evaluate results from multiple sources for a more thorough assessment.

As for limitations, one key drawback is the WAT does not provide automated fixes which ultimately requires users to implement necessary corrections manually. Secondly, it may not fully capture complex and interactive consent mechanisms that some websites implement.

We found that using both WAT and Mozilla Observatory together creates a comprehensive compliance strategy. For instance, during our own website audit, Mozilla highlighted security header improvements, while the EDPB WAT flagged privacy issues like improperly categorised cookies and unauthorised third-party data transfers. It identified non-compliant cookies and third-party requests, which gave us actionable steps to improve compliance, such as updating cookie policies, reviewing third-party contracts, and conducting regular audits.

We found that by integrating findings from both tools, organisations can address both privacy and security risks, ensuring compliance. Regular audits using these tools, combined with actionable steps to resolve identified issues, will help maintain compliance, build user trust, and mitigate potential risks effectively.

Understanding the user’s perspective

To maintain compliance with the GDPR, it is important to understand how a website might impact a visitor through potentially the setting of cookies, usage of local storage or calls to external resources. The WAT allows for a quick overview of what resources a website calls, and how it places or uses them.

Our evaluation of the WAP demonstrated its effectiveness as a privacy compliance tool. Its ability to detect and categorise cookies, trackers, and third-party requests, provides valuable insights into website practices, ensuring transparency and lawful data processing. Its focus on consent mechanisms, data flows, and hidden tracking mechanisms aligns with key GDPR requirements. Although the tool requires manual evaluation and does not provide automated fixes, its detailed analysis makes it indispensable for privacy audits.

A quick scan using the EDPB WAT easily brings to light any oversights, so that businesses can fix any issue before it becomes a citable instance of noncompliance under the GDPR and/or the ePrivacy Directive. Integrating it into regular compliance processes, alongside complementary tools, helps to maintain transparency, build trust with users, and mitigate privacy risks effectively. This way, organisations can stay ahead of regulatory requirements and demonstrate a strong commitment to data protection.

Pameela George is a Junior Data Protection Consultant with BH Consulting.