GDPR Compliance Testing
BugBrain scans for common GDPR compliance gaps, helping ensure your application respects data privacy regulations and user rights.
What BugBrain Tests
Consent & Cookie Management
Cookie Consent Banner — GDPR requires explicit consent before tracking cookies
- Detects missing consent banners on first visit
- Checks for cookie category selection (required, functional, analytics, marketing)
- Verifies “Reject All” button (not just “Accept”)
- Severity: Critical (non-compliance can result in fines up to €20 million or 4% revenue)
Consent Persistence — User preferences must be remembered
- Checks if user’s cookie choices are stored
- Verifies choices persist across sessions
- Severity: Serious
Cookie Inventory — All cookies must be disclosed
- Detects tracking/third-party cookies
- Verifies cookies are listed in consent banner
- Severity: Serious
Privacy Policy & Legal
Privacy Policy Link — Privacy policy must be easily accessible
- Detects missing privacy policy link in footer/header
- Checks policy is current (updated within 12 months)
- Severity: Serious (required by GDPR)
Terms of Service — Terms must be accessible and current
- Detects missing ToS link
- Checks visibility and readability
- Severity: Moderate
Data Subject Rights
Profile/Account Access — Users must be able to access their data
- Detects missing “Profile” or “Account Settings” page
- Checks if user can download personal data
- Severity: Critical (GDPR Article 15: Right to Access)
Data Download — Users must be able to export their data
- Checks for “Export my data” or “Download my data” feature
- Verifies export includes all personal data
- Supports CSV, JSON, or other portable formats
- Severity: Critical (GDPR Article 20: Data Portability)
Delete Account — Users must be able to request deletion
- Detects missing “Delete my account” or “Request deletion” option
- Checks if deletion process is clear
- Severity: Critical (GDPR Article 17: Right to be Forgotten)
Unsubscribe/Opt-Out — Users must be able to opt out of marketing
- Detects missing unsubscribe link in emails
- Checks for marketing preference center
- Verifies one-click unsubscribe works
- Severity: Serious
Third-Party & Data Sharing
Third-Party Trackers — All external scripts must be disclosed
- Detects Google Analytics, Facebook Pixel, Hotjar, etc.
- Flags undisclosed tracking
- Checks if trackers require consent
- Severity: Serious (GDPR Article 6: Legal Basis)
Data Processing Addendum (DPA) — Data processors must have a DPA
- Checks for links to vendor/processor agreements
- Verifies data processors are GDPR-compliant
- Severity: Serious
Compliance Checklist
| Item | Status | Notes |
|---|---|---|
| Cookie consent banner present | ☐ | Must appear on first visit |
| Consent includes “Reject All” | ☐ | Cannot force acceptance |
| Privacy policy accessible and current | ☐ | Updated in last 12 months |
| Terms of Service accessible | ☐ | Optional but recommended |
| User profile/settings page present | ☐ | Users can view their data |
| Data export/download feature | ☐ | CSV/JSON format |
| Delete account option available | ☐ | Users can request deletion |
| Unsubscribe link in emails | ☐ | One-click opt-out |
| Third-party tools documented | ☐ | Full vendor list |
| DPA in place for all processors | ☐ | Data processor agreements |
Common GDPR Issues & Fixes
Issue: No Reject All Button
Problem: Cookie banner only has “Accept All” and “Customize” buttons
<!-- Before -->
<button>Accept All</button>
<button>Customize</button>
<!-- After -->
<button>Accept All</button>
<button>Reject All</button>
<button>Customize</button>Issue: Missing Privacy Policy
Problem: No privacy policy link in footer
<!-- Before -->
<footer>
<p>© 2025 Company. All rights reserved.</p>
</footer>
<!-- After -->
<footer>
<p>© 2025 Company. All rights reserved.</p>
<a href="/privacy-policy">Privacy Policy</a>
<a href="/terms">Terms of Service</a>
</footer>Issue: No Data Delete Option
Problem: Settings page lacks delete account option
<!-- Add to settings page -->
<div class="danger-zone">
<h3>Delete Account</h3>
<p>Once you delete your account, there is no going back. Please be certain.</p>
<button onclick="requestDelete()">Request Account Deletion</button>
</div>Issue: No Unsubscribe Link
Problem: Marketing emails don’t include unsubscribe
<!-- Marketing email footer -->
<p>
<a href="https://example.com/unsubscribe?email={{email}}">Unsubscribe</a>
| <a href="https://example.com/preferences">Update Preferences</a>
</p>What Requires Manual Review
BugBrain can detect surface-level compliance issues, but the following require manual review by your legal/compliance team:
- ✓ Cookie consent presence (automated)
- ✗ Cookie consent wording (legal review required)
- ✓ Privacy policy existence (automated)
- ✗ Privacy policy adequacy (legal review required)
- ✓ Data export feature presence (automated)
- ✗ Data export completeness (manual testing required)
- ✓ Third-party trackers (automated)
- ✗ Legal basis for processing (legal review required)
- ✗ Data retention policies (documentation review)
- ✗ International data transfers (legal analysis)
Important: This automated testing covers common GDPR gaps but does not constitute legal advice. Consult with a data protection officer (DPO) or privacy attorney to ensure full GDPR compliance. GDPR violations can result in fines up to €20 million or 4% of annual global revenue, whichever is higher.
For Data Protection Officers (DPOs)
Export GDPR audit results for compliance documentation:
- Compliance Report — PDF with all violations and remediation status
- Audit History — Track compliance over time (monthly audits recommended)
- Vendor List — All third-party trackers and data processors detected
- Data Flow Diagram — System-generated map of data flows
- Incident Log — Record audit dates and findings for regulatory records
Reports are suitable for submission to supervisory authorities and for annual compliance reviews.