Protect Your Website from Privacy Risks: Insights from Scanning the S&P 500 Websites

Part of our mission at LOKKER is to educate and help protect the public from web privacy risks. Therefore, we frequently scan a sample set of websites to identify privacy risk trends and evolving threats in the greater privacy ecosystem.

Our most recent research involved scanning and scoring websites from the S&P 500 with our proprietary Web Privacy Risk Score™. The S&P 500, the largest publicly traded companies in the United States, was chosen because it represents companies in diverse sectors and a high volume of web traffic. 

First, what are we considering web privacy risks?

The methodology behind the web privacy risk score can be found in greater detail here, but essentially we score websites based on nine factors: 

Essentially we look for seven  types of privacy risks: 

1. Presence of known malware (e.g., data skimmers)
2. Javascript that collects and transmits form data to third parties
3. Presence of session replay tools
4. Third-party tracking scripts (e.g., ad tracking, cross-site tracking)
5. First- and third-party cookies
6. Consent management/cookie banner
7. Third-party requests from foreign domains

The overall site score is calculated by averaging the individual scores assigned to each web page. The rating ranges from 0 to 1,000 points. The privacy risk of a site increases with the score. According to the third-party scripts’ intended use, frequency, and location, the score has modified the weighting for the various risk types.

What did we learn from scanning the S&P 500 for web privacy risks?

We used LOKKER’s Privacy Edge platform to scan these 500 sites for privacy risks and found that 30% of the S&P 500 websites are at significant privacy risk (medium or high risk) according to the LOKKER Web Privacy Risk Score™ analysis. 

We further broke it out by industry. Below is the % of websites found to have a significant privacy risk by sector:

• IT – 48%
• Financial – 42.42%
• Real Estate – 31.03%
• Consumer Discretionary – 29.09%
• Materials – 27.58%
• Industrials – 27.50%
• Healthcare – 26.98%
• Communication Services – 22.71%
• Utilities – 20.60%
• Energy – 13.04%
• Consumer Staples – 9.67%

Some of the most significant issues we uncovered were related to consent practices and using trackers and cookies across websites. We found:

Roughly 40% of websites received a failing grade (D or E) for their tracker use. 

The number of trackers, the type of data they are gathering, and the pages they are on are just a few of the variables used to determine whether a website receives a failing mark. For instance, trackers on pages with forms get a worse grade because they frequently reveal the private information submitted in the form. 

50% of websites scanned received an ‘E,’ the lowest letter grade for their consent practices, indicating they either didn’t have a consent banner or it was misconfigured.

Our research found that many sites load first and third parties on the page before the user can consent, violating privacy laws such as the CPRA and GDPR that require consent for non-essential cookies.

Cookies were another concern, with 49.5% of sites receiving a D or E failing score. 

One of the worst offenders has 542 cookies on its website, including 71 first parties and 471 third-party cookies, which is way above the average of 27 cookies per site.

This sample of sites represents what we see for other large sites across industries. We’ve done scans of different data sets, and the results are similar; roughly 25-30% of websites are at significant privacy risk.

How can you protect your website visitors from web privacy risks?

We are proactively sharing this news as a warning for businesses to check their websites for these common privacy risks and for internet users to be aware of the threats.

Here are a few tips that both consumers and businesses can follow to reduce consumer exposure to privacy risks:

• Consumers concerned about data privacy risks should follow instructions to turn off cookies in their browsers.

• Keep an eye out for sites with a lot of advertising and multimedia on the page. Third parties often power these features and collect and share consumer data.

• Organizations should do a thorough audit of their website for privacy risks. Our research has shown that the riskiest pages generally have forms, like appointment schedulers, contact us pages, support, or e-commerce pages, due to the sensitive data shared on these pages.

• Implement a consent banner if you haven’t already. Many business leaders think they don’t need to do this because they aren’t in a state with a comprehensive privacy law. That’s not true. If you have traffic from states or nations that do offer a comprehensive data privacy law to protect their citizens, these standards must be upheld wherever they visit the web. For example, the GDPR protects EU citizens, even if their data is sent to other countries. If traffic comes from the EU, you must protect those visitors with the same protection as under GDPR.
  • Also, ensure your consent banner loads before non-essential cookies and trackers. This common issue puts these organizations at risk of privacy compliance violations.

• Consent is a good step that will help with compliance, but to truly protect customers’ data, remove third parties that aren’t necessary, like duplicate tracking tools, the technology you no longer use or implement software that can block data-sharing with specific tools automatically. These practices will reduce the threat surface for potential stealing or misuse of data by reducing the number of vendors who store this information.

Privacy Edge has automatic scanning, scoring, blocking, and monitoring capabilities to protect website visitors from existing and emerging threats. 

Contact us to learn how Privacy Edge can protect your organization.