Our new report reveals a shocking failure of Universities and higher education institutions to comply with data protection laws. The study, based on a detailed analysis of 335 Universities and Higher Education colleges, highlights a startling 81% non-compliance rate with current General Data Protection Regulation (GDPR) standards.
The widespread compliance failure revealed raises significant concerns about the safeguarding of student data and the potential risks of hefty fines due to non-compliance.
From our detailed analysis of 335 Universities and Higher Education colleges, we found:
81%
are non-compliant
32%
have a consent manager
82%
of the non-compliant sites have GA present
Last week The UK’s Information Commissioner’s Office (ICO) warned it may impose harsh penalties and publicly name websites that fail to make changes to their cookie consent policies.
The research, conducted using our custom cookie compliance testing tool, reveals a strikingly low (32%) implementation rate of Consent Management Platforms, which are a crucial component for GDPR adherence.
The prevalence of Google Analytics on 82% of non-compliant sites and the utilisation of paid social platforms with embedded tracking mechanisms were identified as significant contributors to lack of compliance.
Alongside Google Analytics other well known storage vendors frequently present on non-compliant sites are Facebook, Google, LinkedIn and Tik Tok, meaning visitor data is being sent to these 3rd-party platforms without their consent. This means they can be targeted for advertising despite not giving permission.
Storage vendors present on non-compliant websites:
Even among the 109 institutions employing such platforms, a staggering 66% were found to be inadequately processing website visitors’ data in alignment with GDPR standards. This is likely being caused by web editors hardcoding scripts/assets (e.g., YouTube videos) into websites, preventing Content Security Policy (CSP) restrictions on loading.
This improper configuration of the Consent Management Platform (CCM) and Tag Management Platform (TMP) means that even if users decline cookies, communication between CCM and TMP is lacking, rendering tracking preferences ineffective as data is still being shared with third parties.
These practices not only violate GDPR (and hundreds of other regional and country-specific) regulations but also pose a serious threat to the privacy and data rights of students and other website visitors with tracking of this nature now expressly prohibited.
The GDPR, designed to ensure the responsible handling of personal data, imposes stringent rules on organisations, emphasising the need for careful and lawful processing of individuals' information. Failure to comply not only indicates a lack of awareness or disregard for GDPR guidelines but also exposes institutions to substantial fines.
Last week Stephen Almond, ICO executive director for regulatory risk issued a warning to websites that consistently fail on cookie consent, adding that the regulator will clamp down on those who don’t comply.
Recent enforcement actions by data commissions across Europe, such as the record 1.2 billion euro fine imposed by Ireland's Data Protection Commission on Meta Platforms Ireland, underscore the severity of non-compliance repercussions.
Nick Williams, Demand Generation Director:
"The results of our study reflect a concerning pattern of non-compliance within higher education institutions, raising significant questions about the safeguarding of student and other website visitor data. The lack of implementation and proper utilisation of GDPR-mandated measures indicates an urgent need for immediate action. The threat of fines is looming larger than ever, particularly given the ICO’s announcement last week. The clock is ticking.
Too many digital experiences are built without thinking about the needs of the end user, creating frustration. Any captivating digital experience needs to start from a place of trust and students today will want to know their data is being protected. This research should serve as a wakeup call for Universities to prioritise data protection and compliance.”
Share this article