Privacy Inspector

The DataGrail Privacy Inspector is a companion tool for your organization to review the trackers running on your website that may be selling or sharing information with third parties. We designed the inspector to be a fast and easy way to verify your site's successful implementation of DataGrail Consent.

Installation

The DataGrail Privacy Inspector is a Chrome Extension that can be downloaded via the Chrome web store. Once installed, pin the extension to your address bar:

Once complete, you can access the Extension by clicking the icon:

Exploring Detected Trackers

The Privacy Inspector exposes the trackers running on your site that match DataGrail's model for vendors that typically access a data subject's personal information and should be configured for management by DataGrail Consent. If DataGrail Consent is configured correctly and you've made a preference to opt-out of non-essential tracking, items that appear on this list should be considered essential to the functioning of your app/website.

Trackers Defined

A tracker is a network request that your web app makes to an external service that matches our models for known vendors that access personal user information, such as browser information, web history, website behavior, and more.

Each tracker is organized by unique sub domain, or part of a service, that makes one or more requests, some of which include the transmission of personal information to the service. Most of the trackers on the list within the Privacy Inspector are typically those that make requests to third-party apps that are used for marketing, analytics, or personalization of the experience. As such, these requests may be for non-essential purposes and should not appear within the list. There are a couple of notable exceptions as to why trackers would appear on this list after sending an opt-out request to your site (handled by DataGrail Consent):

1. The tracker was marked as essential: Not all third-party trackers use personal information to provide their services, but this still make external network requests. For example, content delivery networks (CDNs) are external services that your website relies on to retrieve images, video, or other information in an optimized way.
2. The tracker retrieves personal information but then anonymizes the data within their service itself. The external service may have both non-essential and essential purposes for the functionality of your site, so it is easier to use the vendor's privacy/consent features and pass along a consent choice made with DataGrail to the third party. For example, Shopify both handles the essential aspects of your site's experience but also offers a Privacy API to ensure non-essential features respect a user's consent preferences.

Accordingly, for each tracker that appears on the list, you'll need to decide if it essential or non-essential before determining how to manage the tracker with DataGrail Consent.

Tracker Request Types

Each tracker may have multiple request types associated with it, but the privacy inspector marks trackers with a Script type to make it easy to identify the source code to manage the script with DataGrail Consent.

Here are the definitions for each tracker type, which can be revealed by clicking on the tracker item within the Privacy Inspector:

1. Script/JS: These are requests that are made as a result of the execution of JavaScript code on your site.
2. Ping/XMLHTTPRequest (XHR): These are requests deliver or receive information from another service.
3. iFrame/Sub_Frame: These are requests that originate from an iFrame or embedded document (HTML or similar) within your site.
4. Image: These are requests that occur as a result of loading an image. Requests of this type were included to cover the use of tracking pixel technologies.
5. Stylesheet/CSS: These are requests that retrieve stylesheets or design files that make the site look or feel a certain way.

DataGrail Consent can be configured to manage the execution of all of these requests based on a data subject's consent preference. As you can see, tracking can occur via any of these request types, which represent varying strategies to send and receive information that goes beyond what is "visible" on the page.

Reveal Script Origin Code

As you can see in the screenshot above, if a tracker is a script/js type, you will see an icon to the right of a tracker item's vendor name. Clicking on these trackers will additionally reveal the source code for the script.

If a tracker appears on this list and it shouldn't have, developers can use this feature as a shortcut to supporting the configuration of this service with DataGrail Consent.

Exporting Detected Trackers to your Clipboard

You can use the copy list button to copy the visible Detected Trackers on the list to your clipboard to paste and send to members of your team. Here's an example of the output after running the Privacy Inspector on a media site:

33Across, Inc. (33across.com)
AcuityAds (acuityplatform.com)
Adobe Inc. (demdex.net)
Amazon Technologies, Inc. (amazon-adsystem.com)
Amazon Technologies, Inc. (amazon.com)
Amobee, Inc (turn.com)
ANIVIEW LTD (aniview.com)
...
Twitter, Inc. (t.co)
Twitter, Inc. (twitter.com)
Vdopia Inc. (chocolateplatform.com)
Verizon Media (yahoo.com)
Verizon Media (yimg.com)

The output is a (truncated) alphabetized list of the trackers by vendor name, which the specific tracker domain in parenthesis. Note trackers are delineated by domain, which means the same vendor may execute multiple different types of network requests.

Using the Privacy Inspector to Confirm Consent Respect of Consent Preferences

We use the following workflow to determine a site's compliance with Consent preferences after DataGrail Consent has been configured and deployed to a website:

1. Establish an initial baseline: Run the Privacy Inspector and note the trackers that are visible on the list without having made any consent choices (either via the banner notice or using an opt-out signal). If your site uses many services for personalization, analytics, or other non-essential functionalities, you may have dozens of trackers visible on first load.
2. Opt-out of tracking via the DataGrail Consent banner notice: Select "accept essentials only" or the similar, which should block most non-essential trackers from loading on your site if configured completely with DataGrail Consent. Based on the policy you would be governed by as a result of your location, you may have to trigger the banner using a link on your site.
3. Compare the new detected trackers list from the baseline: You should see a significantly less number of trackers loading on your site because DataGrail Consent blocked them from executing after receiving the opt-out request. If there are still trackers on the list, you'll need to determine if they are essential to the site or managed using the service's privacy control capabilities.
4. Configure DataGrail Consent to manage any remaining, non-essential trackers: If you determine a tracker that is visible should have been handled by DataGrail Consent and wasn't, you can work with your development team to ensure that it respects a consent choice by integrating it with Google Tag Manager or handling it as an inline script.

Faster Consent Checks using the GPC Toggle

The Privacy Inspector can send an opt-out request directly using the Global Privacy Control (GPC) signal, which can expedite submitting an opt-out request without having to use the banner notice on your page.

DataGrail Consent treats the presence of GPC settings as "accept essentials only" or "opt-out" of tracking, which means you can achieve the same result as making a manual selection via the banner notice as indicated in Step 2 in the above workflow.

info

When you toggle GPC on or off, your browser will refresh to ensure that setting is captured and passed to the site and picked up by DataGrail Consent.