7DOTS Report: 81% of Universities at risk of fines due to failure to safeguard student data

Last week The UK’s Information Commissioner’s Office (ICO) warned it may impose harsh penalties and publicly name websites that fail to make changes to their cookie consent policies.

The research, conducted using our custom cookie compliance testing tool, reveals a strikingly low (32%) implementation rate of Consent Management Platforms, which are a crucial component for GDPR adherence.

The prevalence of Google Analytics on 82% of non-compliant sites and the utilisation of paid social platforms with embedded tracking mechanisms were identified as significant contributors to lack of compliance.

Alongside Google Analytics other well known storage vendors frequently present on non-compliant sites are Facebook, Google, LinkedIn and Tik Tok, meaning visitor data is being sent to these 3rd-party platforms without their consent. This means they can be targeted for advertising despite not giving permission.

Storage vendors present on non-compliant websites:

Even among the 109 institutions employing such platforms, a staggering 66% were found to be inadequately processing website visitors’ data in alignment with GDPR standards. This is likely being caused by web editors hardcoding scripts/assets (e.g., YouTube videos) into websites, preventing Content Security Policy (CSP) restrictions on loading.

This improper configuration of the Consent Management Platform (CCM) and Tag Management Platform (TMP) means that even if users decline cookies, communication between CCM and TMP is lacking, rendering tracking preferences ineffective as data is still being shared with third parties.

These practices not only violate GDPR (and hundreds of other regional and country-specific) regulations but also pose a serious threat to the privacy and data rights of students and other website visitors with tracking of this nature now expressly prohibited.

The GDPR, designed to ensure the responsible handling of personal data, imposes stringent rules on organisations, emphasising the need for careful and lawful processing of individuals' information. Failure to comply not only indicates a lack of awareness or disregard for GDPR guidelines but also exposes institutions to substantial fines.

Last week Stephen Almond, ICO executive director for regulatory risk issued a warning to websites that consistently fail on cookie consent, adding that the regulator will clamp down on those who don’t comply.

Recent enforcement actions by data commissions across Europe, such as the record 1.2 billion euro fine imposed by Ireland's Data Protection Commission on Meta Platforms Ireland, underscore the severity of non-compliance repercussions.