Bitsight and Lokker report
We want to provide context for how best to interpret your Privacy Risk Assessment Report. Your report provides insights for both privacy and cybersecurity risks. Below you will find general report details, or you can visit our tailored guidance specific to your use case.
Have questions about your report? Here's a clear breakdown of each element: what we check, why it matters, how we calculate it, and how to act on your results.
Privacy Risk by Category
Lokker's Web Privacy Risk Score™ offers organizations a clear and quantifiable way to evaluate, identify and mitigate web privacy risks that may result in a privacy breach, enforcement action or lawsuit. This tool provides a detailed view of risks across website domains or portfolios of domains, allowing companies to pinpoint risks by webpage, severity, and frequency.
Lokker's risk model uses advanced scanning capabilities to evaluate websites without requiring integration or code modifications. The baseline risk scores are based on an analysis of over 80,000 websites across various S&P industry sectors. The scoring model measures overall risks and breaks them down into seven specific categories described below.
Cookies represent one of the most fundamental mechanisms for data sharing on websites. They can store user information that is later shared with or accessed by third parties. Risks in this category are identified under the following conditions: third party cookies were set before obtaining explicit user consent, or third party cookies were loaded without obtaining explicit user consent.
Data being stored in a third-party cookie indicates that data has been shared with a third party. As a result, the cookie can later be used to reference this data for showing ads to the user, merge with data shared from other sites or other online/offline transactions.
First-party cookie risk
This category also includes first party cookies that were set before or without obtaining explicit user consent. First-party cookies are generally intended for website use, while third-party cookies are for use by third parties. However, a JavaScript workaround exists that allows third parties to set first-party cookies, creating first-party cookie risk.
Why it matters
Cookies facilitate data sharing between websites and third parties. This data can be used for targeted advertising, user profiling, or merging with other datasets, potentially exposing users to privacy violations.
This category evaluates the presence and sharing of sensitive user information, such as personally identifiable information (PII), financial details, or health-related data. The type of data being shared affects the risk score depending on the sensitivity of the data, as does the type of site and page factors on which it is found. For example, sending credit card data is more sensitive than sending the user's first name.
How it's assessed
Lokker tests for data loss by filling out forms with fake data, and then does a lookup to see if any of that data is sent to a third party, and if so, where did it go and to whom.
Why it matters
Unauthorized sharing of sensitive data increases the risk of identity theft, fraud, and regulatory penalties under laws like GDPR, CCPA/CPRA, and related state laws.
The session replay risk category includes session replay tools from third parties like Dynatrace or Hotjar being detected on a website. These tools record user interactions (e.g., clicks, keystrokes, and navigation) to help site owners understand user behavior. Risk occurs when data is being shared with these third parties, especially when the proper notice has not been given and/or the proper consent has not been received from the user.
Why it matters
When sensitive user interactions are recorded and shared without consent, it can lead to significant privacy concerns and legal repercussions.
This category assesses third-party tracking technologies embedded on your website, which can monitor user behavior and share data with external entities which you may not have approved for sharing.
Fingerprinting
Scripts taking a unique "fingerprint" of a user's browser in order to track their activity across different websites. Lokker looks at all of the methods called by a script and assigns a weighting to the ones commonly used for browser fingerprinting.
Trackers detected
The presence, number and type of third-party code (Trackers) found on your site affects the score.
User IDs (keys) sent
Lokker assesses the data sent to a third-party to check if there is any high risk data like user_ids sent back to the third party.
User behavior sent
Lokker assesses the data sent to a third party to check if there is any sensitive behavior sent back to the third party.
Third-party iframes found
This check looks for iframes created on your site by third parties. When these are found the risk score is increased accordingly.
Why it matters
Trackers can compromise user privacy and undermine trust by sharing data without user awareness or consent.
This category evaluates the geographic location of third-party servers receiving data from your site. Some countries are considered high-risk due to their regulatory environment, cyber practices, or political climate.
High-risk countries
Russia, China, Belarus, Venezuela, Cuba, Turkmenistan, Syria, Eritrea, North Korea.
How it's assessed
Lokker examines the IP addresses of third-party servers to determine their geographic location.
Why it matters
Data sent to high-risk jurisdictions may be vulnerable to surveillance, hacking, or misuse, leading to significant privacy concerns.
This category examines whether your website complies with legal requirements for obtaining user consent.
What we check
Is the user presented with a privacy consent banner when they enter your site? Do the pages on your site have the regulatory message for 'Do Not Sell My Information'? If either of these are true, the score risk is increased.
Why it matters
Failure to provide proper consent mechanisms can lead to legal penalties under privacy regulations such as GDPR and CCPA/CPRA. Under California law as amended by the CPRA, that includes ensuring opt-out of sale and sharing is functional and GPC signals are honored.
This category includes checks against the domain name used by any third-parties on your site and their associated risks.
What we check
Malicious Domains (cross-referenced against a malware database), Security certificate issues, and Domain registration age (registered within the past 30 or 180 days).
Why it matters
Newly registered domains or those with inadequate security measures can pose significant risks to user data and site integrity. By breaking down privacy risks into these categories, Lokker's Web Privacy Risk Score™ provides actionable insights to help organizations safeguard user data, enhance compliance, and build trust and integrity.
Risk Summary
Why We Look for This
The California Invasion of Privacy Act (CIPA) prohibits wiretapping, which may occur when session replay tools record user interactions without proper consent. Having a session replay tool on your site, without 100% correct notice and consent creates privacy risk. Session Replay = Wiretapping tools.
How We Check for This
We scan your website to identify session replay tools and assess whether they are active or collecting data.
Understanding the Report Results
Why We Look for This
Over 10 states and 120 countries around the world have consumer data privacy laws which impact if and how your business uses a consent banner.
How We Check for This
The Lokker scanner simulates a user going to your site and checks if a consent banner is presented on all the scanned pages.
Understanding the Report Results
Why We Look for This
Malicious domains which contain malware can indicate privacy risk or a data breach. Recently registered domains are considered risky because cybercriminals often use newly registered domain names to host malicious content like phishing sites, malware distribution points, or command-and-control servers.
How We Check for This
Malicious Domains: We check third parties on your site against a database of known malicious sites. Recently Registered Domains: We check the domain registration date of all third parties on your site.
Understanding the Report Results
Why We Look for This
Tags on your site from servers in certain high risk countries, as designated by the US government, are considered high-risk due to their regulatory environment, cyber practices, or political climate.
How We Check for This
Lokker examines the IP addresses of third-party servers to determine their geographic location from any of these "Countries of Concern": Russia, China, Belarus, Venezuela, Cuba, Turkmenistan, Syria, Eritrea, North Korea.
Understanding the Report Results
Why We Look for This
Unauthorized sharing of sensitive data increases the risk of identity theft, fraud, and regulatory penalties under laws like GDPR, CCPA/CPRA, and related state laws. The CPRA introduced a dedicated category of sensitive personal information with heightened protections, making form data and health-adjacent data sharing an especially high-priority compliance area.
How We Check for This
Lokker tests for data loss by filling out forms with fake data, and then does a lookup to see if any of that data is sent to a third party, and if so, where did it go and to whom.
Understanding the Report Results
Why We Look for This
When third party tags from some social media are used on healthcare sites, privacy risk is increased.
How We Check for This
If the site has been designated a healthcare site in the Lokker system configuration, then the Lokker scanner examines the site content to determine if any third party tags originate from Social media, e.g. Meta (Facebook/Instagram), TikTok, LinkedIn, Snapchat, or Pinterest.
Understanding the Report Results
Why We Look for This
This category assesses third-party tracking technologies embedded on your website, which can monitor user behavior and share data with external entities which you may not have approved for sharing. This can compromise user privacy and undermine trust by sharing data without user awareness or consent.
How We Check for This
We look for fingerprinting scripts that take a unique "fingerprint" of a user's browser. We consider the presence, number and type of third-party trackers found on your site. We look for user IDs (keys) sent to third parties, user behavior being sent, and the presence of third-party iframes on your site.
Understanding the Report Results
Why We Look for This
The Video Privacy Protection Act (VPPA) prohibits the disclosure of personally identifiable information about users' video-watching habits without explicit consent. It is a federal law originally passed to protect people's video rental histories, but has been repurposed by plaintiffs to file cases against companies.
How We Check for This
Lokker looks for combinations of events where a consumer views a website with video content and the consumer's video-watching behavior is shared with a third party without explicit consent. We also analyze how pixels are configured to see if they share sensitive video analytics such as video titles or watch times with third parties.
Understanding the Report Results
Critical Risks
Risks that have been identified as critical have the potential to result in monetary or reputation damages to your company. These risks should be mitigated immediately.
Domain hijacking is the unauthorized takeover of a domain name, usually by exploiting security weaknesses or administrative loopholes. Attackers gain control of a domain and can redirect traffic, disrupt services, or use it for malicious activities.
| Attribute | Additional Information | Description |
|---|---|---|
| Risk | Critical is the highest level of risk. | Critical |
| Spread | This is the number of scanned pages (20) and the number of pages on your site (3) with this risk was found. | Found on 3 of 20 pages inspected |
| Description | This is the act of changing the registration of a domain name without the permission of its original registrant. | Domain Hijacking |
| Example Page | This is an example of a page with a hijacked domain. There may be additional pages with risk. | https://farrelldistributing.com/rtd-cocktails |
| Example Request URL | The complete URL of the third party which has hijacked this page. | https://polyfill.io/v2/polyfill.min.js?features |
| Count | Number of pages where this risk was found. | 3 |
| Pages Impacted | The names of one or more pages on your site where this risk was found. | https://example.com/beer/, https://example.com/non-alcoholic, https://example.com/rtd-cocktails |
Lokker performs checks to prevent the sharing of highly sensitive data with third parties. This includes personal information such as passwords, social security numbers, and credit card information, which can be used to compromise an individual's privacy or commit identity theft.
| Attribute | Additional Information | Description |
|---|---|---|
| Risk | Critical is the highest level of risk. | Critical |
| Spread | This is the number of scanned pages (20) and the number of pages on your site (1) with this risk found. | Found on 1 of 20 pages inspected |
| Description | Extremely sensitive data has been shared with a third party, including passwords, credit card numbers, or social security numbers. | Use extreme caution when collecting and sharing this information. Review your agreement with this partner to ensure appropriate security measures. If unsure, block data sharing via the Manage Third Parties dashboard. |
| Field | This identifies the type of data shared. | Password |
| Domain | The third-party website receiving the data. Engage your engineering team to understand why. | formstack.com |
| Script | When a script is used to share data, this shows the user action that initiates the sharing. | Button Click |
| Target URL | The URL of the third-party website receiving the data. | https://eternityweb.formstack.com/forms/index.php |
| Fake Data Field | Lokker simulates a "fake" user entering data on your site for testing. This is the fake data used. | orBOxAAzW6d@Ejm7 |
| Example Page | An example of a page where sensitive data is sent to a third party. | https://farrelldistributing.com/rtd-cocktails |
| Count | Number of pages where this risk was found. | 1 |
| Pages Impacted | Names of the pages on your site where this risk was found. | https://farrelldistributing.com/request-a-donation |
This risk occurs when a pixel from Meta is placed on a page that provides health care information to the user. The Meta pixel sends data to Facebook including the Facebook user ID and details of the page viewed. Because Facebook also has access to email addresses and other personal information, it can link a real person to the specific healthcare information viewed.
| Attribute | Additional Information | Description |
|---|---|---|
| Risk | Critical is the highest level of risk. | Critical |
| Spread | This is the number of scanned pages (20) and the number of pages on your site (3) with this risk was found. | Found on 3 of 20 pages inspected |
| Description | While this risk is referred to as the Meta Pixel risk, it is the Facebook website that is receiving information from your site. | We detected the Meta Pixel on the page, on a website we believe to be in a higher risk industry. |
| Industry | The industry classification of the page on your site with the risk. | Healthcare - Medical Devices and Supplies |
| Example Page | This is an example of a page on your site with the Facebook pixel. There may be additional pages with risk. | https://blueskybio.com/pages/bio-cut |
| Example Request URL | The complete URL of the third party which is receiving information from your site. | https://www.facebook.com/tr/?id |
| Meta Pixel ID | Facebook uses this ID to identify the user. | 232570173945555 |
| Count | Number of pages where this risk was found. | 3 |
| Pages Impacted | The names of one or more pages on your site where this risk was found. | https://example.com/pages/about-us, https://example.com/pages/bioconus-12, https://example.com/pages/bioconus-12_0 |
The Video Privacy Protection Act (VPPA) risk arises when a website with playable video content shares user data with a third-party that possesses personally identifiable information (PII) of those users. The legal risk exists because the third party gains knowledge of the email addresses (or other PII) of individuals who had access to the video on the website. The VPPA risk occurs when 3 conditions simultaneously exist: a website with video content, data sharing with a third party, and the third party possessing PII of the user.
| Attribute | Additional Information | Description |
|---|---|---|
| Risk | Critical is the highest level of risk. | Critical |
| Spread | This is the number of scanned pages (20) and the number of pages on your site (1) with this risk was found. | Found on 1 of 20 pages inspected |
| Description | VPPA is the law which could be used to bring legal action. | Almost certainly a breach of the Video Privacy Protection Act (VPPA). |
| Example Page | This is an example of a page containing the video and a tag which shares data. There may be additional pages with risk. | https://example.com/2023/02/08/drayage/ |
| Video Provider | Hosting website of the video found on the page. | facebook.com |
| Social Tracker | Third party which is informed that the user is on a page with a video. | linkedin.com |
| Shared Data Name | Parameter used in the URL sending information to a third party. | video (px.ads.linkedin.com/collect?video=titanic) |
| Shared Data Value | The value of the data being shared. | titanic (px.ads.linkedin.com/collect?video=titanic) |
| Count | Number of pages where this risk was found. | 1 |
| Pages Impacted | The names of one or more pages on your site where this risk was found. | https://example.com/2023/02/08/drayage/, https://example.com/shipping/ |
The Global Privacy Control (GPC) is a setting that can be enabled within a user's web browser. When active, it transmits a signal to websites when a user visits the site, communicating the user's preference for privacy, indicating that their personal data should not be sold or shared with third parties. Lokker detects if your website is honoring the GPC signal. If your website is not respecting GPC, it is flagged here. There are potential legal and regulatory actions for this including fines, penalties, and lawsuits.
| Attribute | Additional Information | Description |
|---|---|---|
| Risk | Critical is the highest level of risk. | Critical |
| Page Count | This is the number of scanned pages (20) and the number of pages on your site (3) with this risk was found. | Found on 3 of 20 pages inspected |
| Example Page | This is an example of a page which is not checking for GPC. | https://example.com/careers |
| Example Request URL | The complete URL of the page which is not checking for GPC. | https://polyfill.io/v2/polyfill.min.js?features |
| Count | Number of pages where this risk was found. | 3 |
Lokker checks to ensure that sensitive data is not being shared with a third party. This type of data includes: first name, middle name, last name, full name, password, email address, company name, phone number, credit card, street address, state, city, country, zip, sex, diagnosis, credit card name, credit card expiry, or age. This type of personal information can be used to expose an individual's private information or help steal their identity.
| Attribute | Additional Information | Description |
|---|---|---|
| Risk | Critical is the highest level of risk. | Critical |
| Spread | This is the number of scanned pages (20) and the number of pages on your site (1) with this risk was found. | Found on 1 of 20 pages inspected |
| Description | Sensitive data has been shared with a third party. | Use extreme caution when collecting and sharing this information with a third-party. Review your agreement with this partner to ensure they have appropriate security measures. If you don't recognize the partner receiving the data, block data sharing through the Manage Third Parties dashboard. |
| Field | This identifies the type of data which has been shared. | State [the user resides in] |
| Domain | The third party website receiving the data. Engage your engineering staff to understand why. | formstack.com |
| Script | When a script is used to share data, this contains the user action which initiates the sharing. | Button Click |
| Target URL | The URL of the third party website receiving the data. | https://eternityweb.formstack.com/forms/index.php |
| Fake Data Field | Lokker simulates a "fake" user to your site which enters fake data in places where data is collected. This is the fake data used. | Alaska |
| Example Page | This is an example of a page where extremely sensitive data is sent to a third party. There may be additional pages with this risk. | https://example.com/rtd-cocktails |
| Count | Number of pages where this risk was found. | 1 |
Lokker checks each page to ensure a consent banner is displayed. A privacy consent banner on your site is crucial for legal compliance, transparency and trust, user control, data protection, and brand reputation. More than 120 countries and 15 US states have data protection laws that require websites to obtain explicit consent from users before collecting and processing their personal information.
| Attribute | Additional Information | Description |
|---|---|---|
| Risk | Critical is the highest level of risk. | Critical |
| Page Count | Number of pages where this risk was found. | 20 |
| Example Page | This is an example of a page which is missing a consent banner. | https://example.com/careers |
| Count | Number of pages where this risk was found. | 20 |
High Risks
Risks that have been identified as requiring additional information from you to verify the risk to your company.
This risk assessment indicates that a social media website is currently receiving data from a specific page on your website. This data has been classified by Lokker as containing sensitive consumer Health Care information. Several US states, e.g. Washington, have explicitly blocked this type of data sharing. The transmission of this data to an external social media site raises concerns around data privacy and potential non-compliance with relevant healthcare regulations.
| Attribute | Additional Information | Description |
|---|---|---|
| Risk Factor | Verification is the second highest level of risk. | Verification |
| Spread | This is the number of scanned pages (20) and the number of pages on your site (20) with this risk was found. | Found on 20 of 20 pages inspected |
| Description | A social media third party tag was found on a page on your site with consumer health care information. | Social Media Domain Critical |
| Industry | This indicates the industry classification of the page on your site with the risk. | Medical Devices and Supplies |
| Example Page | This is an example of a page containing healthcare information and a tag which shares data. There may be additional pages with risk. | https://blueskybio.com/pages/cache-test |
| Example Request Domain | Hosting website of the third party tag found on the page. | facebook.net |
| Example Request URL | The complete URL of the third party which is receiving information from your site. | https://connect.facebook.net/en_US/all.js#appId |
| Social Media Site | The social media platform receiving data from your site. | |
| Count | Number of pages where this risk was found. | 20 |
| Pages Impacted | The names of one or more pages on your site where this risk was found. | https://example.com/pages/about-us, https://example.com/pages/bioconus-12 |
Lokker detects the number of third-party domains on websites and compares the overall number and type to the S&P 500 and other industries to determine if a website is better, comparable, or significantly worse than the baseline. These third parties increase the need for you to monitor for unauthorized data collection and proper governance. Often, third parties are not placed by you directly but are instead piggybacking on another script. The website owner remains responsible, even if they didn't directly place the script themselves.
| Attribute | Additional Information | Description |
|---|---|---|
| Risk Factor | Verification is the second highest level of risk. | Third-Party Domains |
| Page Count | Number of pages where this risk was found. | 20 |
| Domain | An example of a third party domain used for sharing data. | adnxs.com |
| Example Page | This is an example of a page with one or more third party domains used for sharing data. There may be additional pages with this risk. | https://example.com/blog/why-automate/ |
| Percent | The percent of pages on your site containing third party domains. | 100% |
The California Invasion of Privacy Act (CIPA) is a state law that safeguards the privacy rights of California residents by imposing strict regulations on the recording and monitoring of conversations and communications. When third party session replay tools are used on a website, data sent to the third party enables it to know all the actions the user has taken on the web site. HotJar and Dynatrace are examples of session replay tools.
| Attribute | Additional Information | Description |
|---|---|---|
| Risk Factor | Verification is the second highest level of risk. | CIPA Wiretapping Risk |
| Page Count | Number of pages where this risk was found. | 20 |
| Domain | Hosting website of the session replay tool found on the page. | clarity.ms |
| Example Page | This is an example of a page with one or more third party domains identifying session replay tools. There may be additional pages with this risk. | https://backbox.com/blog/eight-rules-of-backup/ |
| Percent | The percent of pages on your site containing session replay tools. | 100% |
This assessment checks for the presence of any of the following tags which have been identified as high risk: adnxs.com, bing.com, addthis.com, sharethis.com, bluekai.com.
| Attribute | Additional Information | Description |
|---|---|---|
| Risk Factor | Verification is the second highest level of risk. | Third-Party Domains |
| Page Count | Number of pages where this risk was found. | 20 |
| Domain | Hosting website of the high risk third party found on the page. | adnxs.com |
| Example Page | This is an example of a page with one or more high risk third party domains. There may be additional pages with this risk. | https://example.com/2023/09/05/acertus-acquires-rcg-logistics/ |
| Percent | The percent of pages on your site containing high risk session replay tools. | 100% |
Need more details? If you have questions or want a deeper analysis, reach out, we're happy to help.