Website Privacy (6/6): Are requests coming from unauthorized countries, regions, or domains?

If you’ve followed along with our privacy validation series, you know that we've discussed auditing privacy policy link presence, “do not sell/share” link coverage, cookie consent banner tag presence, whether or not the consent management platform (CMP) is respecting user preferences, and where new or unapproved cookies are showing up on your site. The final question we address in this series is, “Are there network requests associated to countries, regions, or domains that I should not be sending data to?”

Laws around international data transfers are constantly in flux and most require us to pay attention to geolocations. In the same way you need to keep track of new technologies and approve or remove them from your site, you also need to monitor the geographic locations of possible data transfers and add them to approved lists or investigate further. You need to know where network requests are coming from because your site will be responding and potentially sending data to those locations.

Once again, we used ObservePoint to run an Audit of OneTrust.com, our example website for this series. We ran a standard 1000-page Discovery Audit and created a consent category to denote “approved” geolocations, in this case, the United States and Canada.

In the summary, you can see that the Audit found 39 request domains and geos that were not on the original approved list.

As you drill into the Request Domains & Geos report by clicking on the “unapproved” card, you can see three countries, France, Ireland, and the Netherlands specifically identified.

Those weren't on the original list of places that data is approved to go.

You might not understand why some of these locations may be showing up, such as France or the Netherlands, so you’ll need to dig in further with your team. But in this case, the domain for the request coming from Ireland (optanpn.blob.core.windows.net) is part of the OneTrust brand, so let’s assume that Ireland is okay. You can just click on the three circles by the “Unapproved” status and add that to a consent category so that Ireland and that specific domain are now “Approved.”

Once that geo and/or domain is added, then any time they show up in the future they will no longer be flagged as “Unapproved.” ObservePoint enables you to continuously curate your geolocations and “Approved” lists so you only get flagged when items are truly out-of-standard, allowing you to focus solely on the critical issues that ensure your website stays in compliance.

If you’d like to see how you could audit your own website to continuously monitor for new or unapproved locations, reach out to get a pre-recorded demo.