If the cookies and trackers on your website (both your own and those of third-parties) send personal user data to a third country or an international organization outside of the EU, you need to check if the third country (or organization) ensures an adequate level of protection of the user data (GDPR Article 45.1). The European Commission decides which countries outside the EU are deemed adequate.
How can I check where my users' data is being sent?
In the monthly scan report, all cookies and other tracking technology in use are listed. Included in the scan report is information about each cookie and (if applicable) what country the cookie sends data to and whether that country is deemed adequate or not by the European Commission. An example of this is shown below.
Cookies sending data to adequate countries will be marked with (adequate).
Cookies sending data to inadequate countries will be marked with (not adequate) highlighted in red.
Please note that it is not possible to determine - in a technically reliable way - if a cookie contains personal data or not. Therefore, and because Cookiebot also helps you be compliant with the EU ePrivacy Directive (ePR), which is much stricter about cookies even if they do not contain personal data, all cookies are listed in the scan report and not just those that contain personal data. If you see a cookie listed as sending data to an 'inadequate' third country, do check if this is a marketing cookie or not. If it is a marketing cookie, it is fair to assume that it contains personal data.
Your latest scan report has been sent to the email address(es) listed in the backend Manager and is also available here:
1. Log in to your account
2. Go to the menu point ‘Reports’
3. From here you can access your latest scan report
What should I do if I want to stop sending data to inadequate countries?
If you want to stop the cookies/trackers from sending your users' (personal) data to inadequate countries, you should delete that particular cookie. In the scan report you will find information about what type of cookie it is, where it was first found and in what line of the source code it can be found (where applicable). That way you can detect it and delete it.
What should I do if I want to continue sending data to inadequate countries?
Currently, it is not clear how it is possible to be GDPR compliant if you continue using cookies that send data to the US. Please keep an eye out for any comments or recommendations from your local DPA as this may provide information applicable to your situation.
If you do decide to keep using these cookies, you can make sure your users are informed about this. You must make sure to enable ‘explicit consent’ and inform your users about the potential risks (see GDPR Article 49(1) a.) by adjusting the text in the cookie consent banner to include this information. See How can I customize the content in the cookie consent banner?. Please see our blog post on the subject here: https://www.cookiebot.com/en/schrems-ii-privacy-shield/ and also keep an eye on our help center article on the topic of transferring data to the US under GDPR, which will be updated as the situation evolves in the aftermath of the ruling by the CJEU and as we learn more about possible alternative options and solutions.