GDPR
Consent Mechanism
The website deploys Twitter/X Pixel (advertising tracker) and Google Tag Manager without presenting a cookie consent banner. Under GDPR, prior explicit consent is required before placing non-essential cookies or tracking technologies on a user's device. The absence of any cookie banner means advertising and analytics trackers fire without obtaining legally valid consent from EU visitors, violating Articles 6 and 7 of GDPR and the ePrivacy Directive.
RecommendationImplement a GDPR-compliant cookie consent management platform (CMP) that blocks all non-essential cookies and trackers until the user provides affirmative consent. The banner must offer granular choices (e.g., advertising, analytics, functional) and allow users to reject all non-essential cookies as easily as accepting them.
GDPR
Cookie Consent
Found 2 third-party tracker(s) (Twitter/X Pixel, Google Tag Manager) but no cookie consent mechanism. GDPR requires explicit opt-in consent before placing non-essential cookies.
RecommendationImplement a cookie consent banner that blocks non-essential cookies until the user provides explicit consent. Consider tools like CookieBot, OneTrust, or a custom implementation.
GDPR
Cross-Border Transfer
The privacy policy states 'Our Services are performed in the United States' but the site is accessible to EU users and collects data via forms and third-party trackers. There is no mention of transfer mechanisms (e.g., Standard Contractual Clauses, adequacy decisions) to lawfully transfer personal data of EU data subjects to the US under GDPR Articles 44-49. Third-party trackers like Twitter and Google also transfer data internationally without disclosed safeguards.
RecommendationAdd a dedicated section in the privacy policy detailing the legal mechanisms relied upon for international data transfers (e.g., SCCs, binding corporate rules). Ensure Data Processing Agreements with third parties like Google and Twitter include appropriate transfer safeguards.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right to erasure/deletion, which is required under GDPR Art. 17.
RecommendationAdd a section covering the right to erasure, including how users can request deletion of their data and the timeframe for processing such requests.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right of access (GDPR Art. 15).
RecommendationInclude information about how data subjects can request access to their personal data.
GDPR
Legal Basis
The privacy policy excerpt does not identify the lawful basis for processing personal data as required by GDPR Article 6. For each processing activity (form submissions, advertising tracking, analytics), a specific legal basis must be documented and disclosed to data subjects. The policy appears US-focused and does not address GDPR requirements for EU data subjects.
RecommendationUpdate the privacy policy to clearly identify the lawful basis (consent, legitimate interest, contractual necessity, etc.) for each category of data processing. For advertising trackers, consent is likely the only valid basis. Consider adding a GDPR-specific section or supplemental notice for EU visitors.
GDPR
Third-Party Data Sharing
Found 1 advertising tracker(s): Twitter/X Pixel. Each represents potential data sharing that requires explicit consent under GDPR and a valid legal basis.
RecommendationEnsure each advertising tracker has a clear legal basis (consent), is documented in your privacy policy, and is blocked until consent is given.
GDPR
Accountability
The privacy policy does not mention a Data Protection Officer. If required to appoint one under GDPR Art. 37, their contact details must be published.
RecommendationIf a DPO is required (large-scale processing, public authority, or special category data), add their contact information to the privacy policy.
CCPA
Consumer Rights
CCPA requires disclosure of the consumer's right to request deletion of personal information.
RecommendationAdd clear instructions for how consumers can request deletion of their personal information.
CCPA
Cookie Consent
CCPA/CPRA requires a "Do Not Sell or Share My Personal Information" option. 2 tracker(s) detected without any opt-out control.
RecommendationAdd a visible "Do Not Sell or Share My Personal Information" link and implement GPC (Global Privacy Control) signal detection.
CCPA
Do Not Sell/Share
The website uses Twitter/X advertising pixel and Google Tag Manager, which likely constitute 'sharing' or 'selling' of personal information under CCPA/CPRA definitions. California Civil Code §1798.120 requires a clear and conspicuous 'Do Not Sell or Share My Personal Information' link on the homepage. No such link was detected during the scan. The truncated privacy policy excerpt does not show evidence of this opt-out mechanism being provided.
RecommendationAdd a prominent 'Do Not Sell or Share My Personal Information' link on the website footer and homepage. Implement a mechanism (such as the Global Privacy Control signal recognition) that allows California consumers to opt out of the sale or sharing of their personal information, and honor GPC signals as required by CPRA regulations.
CCPA
Opt-Out Rights
CCPA/CPRA requires clear disclosure of opt-out rights for sale/sharing of personal information.
RecommendationAdd an opt-out section to your privacy policy and implement a "Do Not Sell or Share My Personal Information" mechanism.
CPA
Cookie Consent
Colorado Privacy Act requires consumers to opt out of targeted advertising and data sales. Trackers detected without consent controls.
RecommendationImplement opt-out controls for data processing activities covered by CPA (Colorado).
CPA
Universal Opt-Out
The Colorado Privacy Act requires controllers to recognize universal opt-out mechanisms (such as Global Privacy Control) by July 1, 2024. The absence of a cookie banner and any visible opt-out mechanism suggests the site does not honor universal opt-out signals. With advertising trackers active, Colorado residents' data may be used for targeted advertising without the required opt-out capability.
RecommendationImplement recognition of universal opt-out signals (e.g., GPC) and provide a clear mechanism for Colorado consumers to opt out of targeted advertising and the sale of personal data, as required by CPA §6-1-1306.
CTDPA
Cookie Consent
Connecticut Data Privacy Act requires consumers to opt out of targeted advertising and data sales. Trackers detected without consent controls.
RecommendationImplement opt-out controls for data processing activities covered by CTDPA (Connecticut).
CTDPA
Consent for Sensitive Data
The scan detected an 'unknown form' collecting basic data. Under CTDPA §42-520(a), processing sensitive data requires prior consent. Without clarity on what data these forms collect, there is a risk that sensitive data categories (health, precise geolocation, religious beliefs — particularly relevant given the site's Christian media focus) could be processed without obtaining the required opt-in consent.
RecommendationAudit all data collection forms to classify the data collected. If any form collects sensitive data under CTDPA definitions (including religious beliefs, which is highly relevant for a Christian media site), implement explicit opt-in consent mechanisms before processing.
TDPSA
Cookie Consent
Texas Data Privacy and Security Act requires consumers to opt out of targeted advertising and data sales. Trackers detected without consent controls.
RecommendationImplement opt-out controls for data processing activities covered by TDPSA (Texas).
TDPSA
Data Protection Assessment
The Texas Data Privacy and Security Act (effective July 1, 2024) requires controllers to conduct data protection assessments for processing activities that present a heightened risk, including targeted advertising. The deployment of Twitter/X advertising pixels constitutes targeted advertising. There is no indication in the privacy policy that such assessments have been conducted or documented.
RecommendationConduct and document data protection assessments for all targeted advertising activities, including the use of Twitter/X Pixel and any behavioral tracking via Google Tag Manager, as required by TDPSA §541.105.
VCDPA
Cookie Consent
Virginia Consumer Data Protection Act requires consumers to opt out of targeted advertising and data sales. Trackers detected without consent controls.
RecommendationImplement opt-out controls for data processing activities covered by VCDPA (Virginia).
VCDPA
Privacy Notice Completeness
The Virginia Consumer Data Protection Act requires privacy notices to include: categories of personal data processed, purposes of processing, how consumers can exercise their rights (access, deletion, correction, opt-out), categories of third parties with whom data is shared, and whether data is sold or used for targeted advertising. The privacy policy excerpt appears to be a general overview and the truncated content does not clearly address Virginia-specific consumer rights or the specific opt-out rights for targeted advertising and data sales required under VCDPA §59.1-578.
RecommendationSupplement the privacy policy with VCDPA-specific disclosures including: a clear description of consumer rights under Virginia law, instructions for exercising those rights, an appeal process, categories of data shared with third parties, and explicit disclosure of targeted advertising and sale activities with corresponding opt-out instructions.