Latest updates from CookieScript and the privacy world

News

How Dpas Audit Websites Privacy

The EDPB 2026 Coordinated Transparency Sweep: How National DPAs Are Auditing Website Privacy Disclosures

On 19 March 2026, the EDPB has launched its Coordinated Enforcement Framework (CEF) on transparency and information obligations under the GDPR

The CEF is a key action under the EDPB's 2024-2027 Strategy for cooperation among national Data Protection Authorities (DPAs).

During 2026, 25 DPAs across Europe will take part in this initiative.

It means regulators will look closely at how organizations explain their personal data practices to people.

Coordinated Transparency Sweep is important for website owners, SaaS companies, e-commerce stores, publishers, and any business collecting user data online. Regulators will check whether your Privacy Policy and cookie notice inform users about personal data collection and handling practices.

Read this blog article to learn key transparency requirements for privacy disclosures and website privacy notices, needed for GDPR compliance.

What Is the EDPB 2026 Coordinated Transparency Sweep?

The EDPB 2026 Coordinated Transparency Sweep is part of the EDPB’s Coordinated Enforcement Framework (CEF) launched by the European Data Protection Board (EDPB) on March 19, 2026. Under the CEF, 25 Data Protection Authorities across the EEA will investigate data controllers to ensure privacy policies and cookie notices comply with GDPR transparency rules (Articles 12, 13, and 14).

Each year, the EDPB selects a GDPR topic for national Data Protection Authorities (DPAs) to examine more consistently. For 2026, the focus is transparency and information obligations under the GDPR.

Core focus areas of the EDPB 2026 coordinated transparency sweep include data processing information in a concise, transparent, intelligible, and easily accessible way.

During 2026, DPAs specifically monitor:

  • Article 12 sets general rules on how data controllers communicate with data subjects, requiring transparency.
  • Article 13 requires data controllers to provide information when personal data is collected directly from the data subject.
  • Article 14 requires data controllers to provide information when personal data is obtained from indirect sources (e.g., data brokers, third parties).

 

Coordinated transparency sweep means regulators are investigating whether organizations clearly explain how they collect, use, share, store, and protect personal data.

During the 2026 coordinated enforcement action, Data Protection Authorities investigates practical aspects of transparency, raising the following questions:

  • How do organizations present information to individuals?
  • What exactly do businesses tell users when collecting personal data directly from them?
  • What businesses must disclose when collecting personal data from other sources?
  • Whether businesses create clear, accessible, and understandable privacy policies?

 

While regulators investigate data collection and processing across sectors, the focus in on websites because they are public and an easy target.

All data collection methods need to explain data collection and processing practices. Regulators will investigate:

  • Cookie banners,
  • Contact forms,
  • Newsletter signups,
  • Analytics tools,
  • Embedded videos,
  • Advertising pixels,
  • Chat widgets,
  • CRM integrations, and
  • Lead generation forms.

 

The 2026 coordinated transparency sweep doesn’t create new rules for transparency. GDPR is still valid. Meanwhile, it sets coordinated attention, investigating whether transparency works in practice.

If DPA finds non-compliance issues with transparency requirements during initial investigations, authorities can launch formal investigations leading to warnings, orders, or severe fines.

Note that fines for non-compliance with GDPR could reach up to EUR 20 million or 4% of a company’s total worldwide annual turnover, whichever is higher.

During the second half of the year, DPAs will discuss their investigations together, with an aim of aggregating the results and generating deeper insight into the topic. A consolidated report will then be drafted and submitted for adoption by the EDPB, allowing for follow-ups by the EDPB transparency sweep on both national and EU levels.

Not sure if your website uses cookies? Are they properly disclosed? Scan your website for free and see what cookies and other website trackers your website uses:

Why Website Privacy Disclosures Are Under DPA Scrutiny

Website privacy disclosures are under DPA scrutiny because they are the most important privacy disclosures: they are the first, and sometimes only, place where companies inform users about how they handle user personal data. Second, DPAs focus on websites because they are public and an easy target. Third, website data processing recently has become more complex, comprising many tracking tools.

In 2026, national DPAs’ website audit is investigating website privacy disclosures.

National DPAs’ website audit by Data Protection Authorities revealed that the most common problems with privacy notices include:

  1. Too vague privacy notices
    Some privacy notices just provide vague, general disclosure like “We may use your data to improve our services”. Such notices don’t explain what data they collect, for what reasons, what services they improve with users’ data, or what legal basis applies. Thus, such privacy notices do not satisfy GDPR transparency requirements.
  2. Too long or complicated privacy notices
    Privacy notices should be clear and easy-to-understand. If they are long, use technical jargon, and otherwise complicated that the majority of users can reasonably understand, they also fail the transparency test.
  3. Privacy notices that don’t disclose cookies
    Privacy notices must disclose what categories of cookies a website sets. If it simply says “We use analytics and marketing cookies,” while actually setting dozens of third-party scripts, advertising pixels, social media plugins, and retargeting tools, such privacy notices do not satisfy GDPR transparency requirements. The Privacy Policy audit will not consider such notices as valid ones.

 

DPAs focus on websites because they are public, visible, and an easy target. Education platforms, travel and hospitality booking sites, finance and fintech websites, and course creators- all of them collect user personal data and thus need to have transparent privacy policies.

B2B leads also need a cookie banner with privacy notices if B2B sites use at least some analytics, tracking, retargeting, or embed third-party scripts. 

Other reason why DPAs focus on websites is that website data processing recently has become more complex, comprising many tracking tools. Even a small business site may use:

  • Analytics tools, such as Google Analytics.
  • Meta Pixel, LinkedIn Insight Tag, or other ad trackers.
  • Embedded maps, videos, fonts, or widgets.
  • Newsletter platforms.
  • Customer support chat tools.
  • Payment processors.
  • A/B testing tools.
  • CRM integrations.
  • Consent management platforms.

 

Each tool may collect different categories of data. Some website trackers may share data with third parties. Some may transfer data outside the EU.

Thus, even a small site could collect large amounts of personal data, understand user behavior, interests, and buying preferences, and share it with many other companies for targeted advertising. If a website doesn’t contain a transparent privacy notice, it will violate GDPR (Articles 12, 13, and 14).

What National DPAs Are Likely to Check During the Transparency Sweep

During the transparency sweep, 25 European Data Protection Authorities (DPAs) will check weather organizations provide clear, concise, and accessible information on how user personal data is collected and processed. DPAs may check the privacy notice, Cookie Policy, consent banner, preference page, forms, account registration pages, checkout flows, and any layered notices shown to users.

First of all, Data Protection Authorities will check whether users are told what personal data a website collects before or at the time the data is collected. They will also look at whether that information is accurate, easy to access, and easy to understand.

DPAs may check any layered notices shown during the user visit:

  • Privacy notices
  • Cookie policies
  • Consent banners
  • Preference pages
  • Registration forms
  • Account registration pages.
  • Checkout flows, or
  • Any other notices shown to users.

 

While the exact checklist is not known, DPAs may be interested in these questions:

  • Does a website have a privacy notice at all?
  • Could the privacy notice be easily found from every relevant page?
  • Does the privacy notice use clear, specific, and understandable language?
  • Does the notice explain who the data controller is?
  • Does it explain what categories of personal data are collected?
  • Does it explain why the data is collected?
  • Does it identify the legal basis for each processing purpose?
  • Does it explain who receives the data?
  • Does it describe international transfers where relevant?
  • Does it tell users how long data is kept?
  • Does it explain user rights and how to exercise them?
  • Are cookie disclosures consistent with the Cookie Banner and scanner results?
  • Are third-party tracking tools properly disclosed?
  • Are third-party tracking tools blocked until consent is given?

 

Transparency is not only about informing users about their data management practices. It is also about timing and behavior of tracking scripts.

A GDPR-compliant website must:

  • Do not set analytics or marketing cookies without user consent.
  • Block all non-essential cookies before consent is obtained.
  • Describe cookie categories correctly.
  • Use user data only for purposes originally revealed at the point of data collection.
  • Do not share user Personal Information with third parties without user consent.
  • Do not transfer user data internationally without user consent.
  • Have a legal basis for the collection of user data.

 

DPAs may also assess whether organizations can demonstrate that their privacy disclosures are kept up to date. If your Privacy Policy is three or four years old but you use it on a website that uses current marketing tools, analytics, and AI tools, it will not comply with GDPR.

Finally, you must keep consent records of user choices for proof of compliance.

Record:

  • Whether users accepted or rejected cookies?
  • Which cookie categories were accepted?
  • Did users change their choice?
  • Active privacy signals, such as Global Privacy Control or DO Not Track.
  • Version of Privacy Police when users made cookie choice.

Key Transparency Requirements for Website Privacy Notices

Website privacy notices must be concise, easily accessible, and written in clear, plain language without legal jargon. They must provide identity and contacts of a business, what personal data is collected, why it is processed, how long it is retained, and who it is shared with. 

Key GDPR transparency requirements for website privacy notices include:

  1. Identity and contacts
    Data controllers should provide the company name, contact details, and, where applicable, the data protection officer or privacy contact. Users should know who is responsible for the processing.
  2. Categories of personal data
    Explain what types of data the business collects. This could include contact details, account information, payment data, IP addresses, device data, browsing activity, cookie identifiers, or marketing preferences.
  3. Purposes of data processing
    Privacy notices should explain why a business collects Personal Information. Don’t use vague terms, such as “For business operations” or “To improve user experience”. Be clear, explaining that you collect data for account creation, order processing, analytics, fraud prevention, personalized advertising, and consent management.
  4. Legal basis
    Privacy notices should explain legal basis (e.g., consent or legitimate interests) for data processing. For example, a legal basis for data processing could include contract fulfillment, consent for marketing or analytics, legitimate interests for certain security activities, or legal obligation for tax record retention.
  5. Third-party sharing
    Privacy notices should provide categories of third parties, payment processors, analytics vendors, marketing platforms, email providers, customer support tools, or advertising partners with whom data is shared.
  6. International transfers
    If data is transferred outside the EEA, the privacy notice should state this and explain the safeguards used to protect personal data.
  7. Data retention
    Privacy notices should explain how long data will be stored
  8. Security measures
    Privacy notices should outline safeguards used to protect user data.
  9. User rights
    Inform users about their GDPR rights regarding access, rectification, erasure, restriction, objection, portability, and the right to withdraw consent where processing is based on consent.
  10. The privacy notice must be easy to find
    Pop up a Cookie Banner on user first visit to your website on any form where data is collected. Also place the notice in the website footer or the Privacy page to allow users to change their cookie choices later.

 

Use a layered approach to the privacy notice, including collapsible menus for more information and bullet points to break up text so users can easily navigate to what they need.

A Consent Management Platform like CookieScript can help businesses to create and deliver cookie notices on your websites.

With CookieScript, you can easily create a cookie notice and comply with GDPR. You can:

  • Display a cookie notice on your website.
  • Create a customizable Cookie Banner that fits your design or brand.
  • Give users full control to accept, decline or change cookie settings on the banner.
  • Customize the banner for desktop and mobile devices for accessibility.
  • Show cookie table (with name, type, purpose and duration) for full disclosure of cookies.
  • Show auto-translated banner to users based on their browser language.
  • Auto-block third-party cookies till the user gives consent.
  • Record all user consents for proof of compliance.
  • Generate a Cookie Policy with detailed disclosure of cookie use and link it to your Cookie Banner.
  • Scan your website for cookies to auto-update your cookie list and cookie policy.

Register for free Show pricing plans

Common Privacy Disclosure Mistakes That Can Trigger Regulatory Attention

The most common privacy disclosure mistakes include providing the wrong legal basis, using vague purposes for data collection, using legal jargon, failing to disclose third-party tools, cookie banner and Privacy Policy mismatch, outdated privacy notices, no clear data retention information, third parties are not revealed, and presence of cookies that do not match actual behavior.

Often, privacy disclosure mistakes arise unintentionally. A marketing team adds new marketing tool that uses website trackers or introduces CRM integration. Developers change cookie banners or replace a newsletter provider. Nobody updates the privacy notice, so it becomes a problem during a compliance audit.

Here are some common mistakes that can attract regulatory attention:

  1. Providing the wrong legal basis
    Some websites rely on legitimate interests for activities that may require consent, especially when they use cookies for analytics or online advertising.
  2. Using vague purposes for data collection
    Phrases like “improving user experience”, “business needs”, or “marketing purposes” may not be enough if they do not explain real purposes of data collection. You should explain in detail whether you are analyzing user behavior, building profiles, collecting data for sending marketing emails, or share data with ad networks. These are very different purposes.
  3. Using legal jargon
    A privacy notice should provide detailed information but still use clear and transparent language. If you use legal jargon which is difficult to understand, it may not be valid.
  4. Failing to disclose third-party tools
    Analytics, advertising, chat, video, map, payment, and email tools often involve third-party data processing. If you use them on the website, the privacy notice should reflect that.
  5. cookie banner and Privacy Policy mismatch
    If the cookie banner provides one type of information, the cookie policy says another, and the actual cookie set is different from both, regulators may consider your website as non-compliant.
  6. Outdated privacy notices
    Update privacy notices regularly. A Privacy Policy that has not been reviewed in years may not accurately correspond with your business.
  7. No clear data retention information
    Many privacy notices do not provide data retention details because they are hard to define. But GDPR requires to inform users for how long their data will be kept.
  8. Third parties are not revealed
    If you use third parties, such as payment processors, analytics vendors, marketing platforms, email providers, customer support tools, or advertising partners, privacy notices list all of them. Explain to users why you share their data with third parties. Are they processors, controllers, advertisers, affiliates, or service providers?
  9. Poor mobile accessibility
    Privacy notices should be easy to read on both web and mobile versions of a website. Many users access privacy information on mobile. If the notice is hard to read or doesn’t work, it’s a problem.
  10. Presence of cookies that do not match actual behavior
    If non-essential cookies load before consent, the banner wording will not fix the problem. DPAs test what cookies are loading before and after consent, what data your website collects, and whether the data is shared with third parties.

How Businesses Can Prepare Their Websites for a DPA Audit

Use this checklist to prepare your websites for a DPA audit:

  1. Identify data collection points
    Perform data mapping at every data collection point. Document sign-up forms, contact pages, newsletter subscriptions, checkout flows, and account logins.
  2. Audit cookie loading and tracking mechanisms
    GDPR requires obtaining consent before loading non-essential cookies. Ensure Google Analytics, marketing pixels, chat widgets, and other marketing and analytics tools from third parties do not load until consent.
  3. Keep consent logs
    For compliance, you need proof of consent. DPAs will ask for evidence. Thus, you must securely log all consent details: whether users gave consent, which tracking categories they agreed to, when consent was given, and which banner and privacy policy version was active.
  4. Update privacy and legal pages
    The privacy policy must reflect real data handling practices and list all third parties with whom you share users’ data. Explicitly state what data you collected, the legal basis for processing, retention periods, and list all third parties. Update your privacy policy and legal pages every time you add any third-party tools or website trackers.
  5. Review third-party processors
    Ensure Data Processing Agreements (DPAs) are signed with every third-party vendor (hosting, marketing, CRM, analytics) that you share user data.
  6. Facilitate data subject rights
    Make sure that users can easily access their rights to access, port, or delete their data. Have automated forms or dedicated contact links for users to ask for corresponding requests.
  7. Test your website for compliance
    Run internal audits for compliance. Document your scope, audited flows, identified findings, any security issues, and remediation actions.

Use CookieScript CMP to prepare for auditing website privacy disclosures by national DPAs.

In 2025, CookieScript received its fourth consecutive badge in a row as the leader on G2, a peer review site, and became the best CMP on the market for a whole year for small and medium-sized businesses! 

Frequently Asked Questions

What is the EDPB 2026 coordinated transparency sweep?

The EDPB 2026 Coordinated Transparency Sweep is part of the EDPB’s Coordinated Enforcement Framework (CEF) launched by the European Data Protection Board (EDPB) on March 19, 2026. Each year, the EDPB selects a GDPR topic for national Data Protection Authorities (DPA) to examine in a more aligned way. For 2026, National DPAs across Europe are checking whether organizations clearly explain how they collect, use, share, and store personal data. Use CookieScript CMP to create cookie notices and comply with GDPR

Why are website privacy disclosures under DPA scrutiny?

Website privacy disclosures are under DPA scrutiny because they are the most important privacy disclosures: they are the first, and sometimes only, place where companies inform users about how they handle user personal data. DPAs also focus on websites because they are public, an easy target, and website data processing recently has become more complex, comprising many tracking tools. Use CookieScript Cookie Scanner to scan your website for cookies and other trackers.

What website disclosures can national DPAs check?

National DPAs may check privacy policies, cookie policies, consent banners, data collection forms, newsletter signups, checkout flows, and other website notices. They may also compare these disclosures against the cookies, trackers, analytics tools, and third-party scripts actually running on the website. Use CookieScript CMP to create compliant cookie notices and cookie banners.

How can businesses prepare for a website privacy disclosure audit?

Businesses can prepare by reviewing their privacy notice, performing data mapping, scanning their website for cookies and trackers, keeping consent logs, checking whether third-party tools are properly disclosed, updating privacy and legal pages, and making sure consent settings match actual website behavior. Privacy disclosures should be clear, accurate, easy to access, and kept up to date. CookieScript CMP can help you to create compliant cookie notices

ON THIS PAGE