GDPR and QA Testing
The General Data Protection Regulation (GDPR) is an EU regulation that governs how organizations collect, process, store, and delete personal data. While GDPR is an EU law, it applies to any organization that processes data of EU residents — meaning most global web applications must comply.
For QA engineers, GDPR creates specific testable requirements. Unlike general security testing, GDPR testing focuses on user rights, consent management, and data lifecycle verification.
Key GDPR Rights to Test
Right to Information (Transparency)
Users must be informed about data collection before it happens:
- Privacy policy is accessible from every page
- Cookie consent banner appears on first visit
- Clear language explains what data is collected and why
- Third-party data sharing is disclosed
- Data retention periods are stated
Right of Access (DSAR)
Users can request all data a company holds about them:
- User can submit a data access request through the application
- Response includes all personal data within 30 days
- Data is provided in a machine-readable format (JSON, CSV)
- Data includes: profile info, activity logs, payment history, communications
- The identity of the requester is verified before data is released
Right to Rectification
Users can correct inaccurate personal data:
- Users can edit their profile information
- Changes propagate to all systems (not just the UI)
- Corrected data is reflected in exports and reports
Right to Erasure (Right to Be Forgotten)
Users can request deletion of all their personal data:
- Deletion request mechanism exists in the application
- All personal data is deleted from primary storage
- Data is removed from backups within a reasonable timeframe
- Data is deleted from third-party systems (analytics, CRM, email)
- Anonymized data (cannot identify the user) may be retained
- Content created by the user in shared spaces is handled appropriately
Right to Data Portability
Users can export their data in a common format:
- Export is available in JSON, CSV, or similar machine-readable format
- Export includes all personal data
- Export can be downloaded by the user
- Export does not include other users’ personal data
Right to Object
Users can opt out of certain data processing:
- Marketing email opt-out is respected
- Analytics tracking can be disabled
- Data profiling for automated decisions can be opted out of
Cookie Consent Testing
Requirements
| Requirement | Test |
|---|---|
| No tracking before consent | Verify no cookies are set before user interacts with banner |
| Granular choice | User can accept/reject categories (essential, analytics, marketing) |
| Equal prominence | “Reject All” is as visible as “Accept All” |
| No pre-checked boxes | Non-essential categories default to unchecked |
| Revocable consent | User can change preferences later |
| Consent recorded | System stores when and what the user consented to |
| Works without consent | Site functions with only essential cookies |
Testing Cookie Consent
- Open the site in a fresh incognito window
- Before interacting with the banner, check cookies: DevTools > Application > Cookies
- Only essential cookies should be present (none from analytics/marketing)
- Click “Reject All” — verify no tracking cookies are set
- Clear cookies and reload
- Click “Accept All” — verify analytics and marketing cookies are now set
- Find and use the “Cookie Settings” or “Privacy Settings” link
- Change consent — verify cookies are added/removed accordingly
Exercise: GDPR Compliance Audit
Perform a GDPR compliance audit of a web application.
Part 1: Cookie Consent
| Check | Pass/Fail | Notes |
|---|---|---|
| Banner appears on first visit | ||
| No tracking cookies before consent | ||
| Granular consent options available | ||
| “Reject All” equally prominent as “Accept All” | ||
| Non-essential categories unchecked by default | ||
| Cookie preferences can be changed later | ||
| Site works after rejecting all non-essential cookies |
Part 2: Data Access Request
| Check | Pass/Fail | Notes |
|---|---|---|
| DSAR mechanism exists (settings or form) | ||
| Identity verification before data release | ||
| Export includes all personal data categories | ||
| Export in machine-readable format | ||
| Export does not include other users’ data | ||
| Acknowledgment within reasonable time |
Part 3: Right to Erasure
| Check | Pass/Fail | Notes |
|---|---|---|
| Account deletion request mechanism exists | ||
| Deletion confirmation required (prevent accidental) | ||
| Grace period offered before permanent deletion | ||
| Personal data removed from profile | ||
| User content handled appropriately | ||
| User cannot log in after deletion | ||
| User’s data absent from admin reports | ||
| Notification sent confirming deletion |
Part 4: Privacy Controls
| Check | Pass/Fail | Notes |
|---|---|---|
| Privacy policy accessible from every page | ||
| Marketing opt-out available | ||
| Profile data editable by user | ||
| Password change does not expose old password | ||
| Session can be terminated from all devices |
Solution: Common GDPR Compliance Bugs
Bug 1: Analytics tracking before cookie consent Google Analytics script loaded in the HTML head before the consent banner was shown. Every visitor was tracked regardless of consent. Fix: Load analytics only after user grants consent.
Bug 2: “Reject All” buried in settings The consent banner had a prominent “Accept All” button but required clicking “Manage Preferences” and then “Reject All” — three clicks vs one. This is considered a dark pattern and non-compliant. Fix: Add “Reject All” button at the same level as “Accept All”.
Bug 3: Account deletion left data in analytics User requested account deletion. Profile data was removed, but user activity data remained in Google Analytics and Mixpanel with identifiable user IDs. Fix: Anonymize or delete user identifiers from third-party analytics.
Bug 4: DSAR export missing payment data The data export included profile and activity data but omitted payment history stored in Stripe. Fix: Include payment data from all third-party systems in the DSAR export.
Bug 5: Deleted user still in email marketing list After account deletion, the user’s email remained in the Mailchimp marketing list. Fix: Trigger deletion in all integrated third-party systems when processing account deletion.
Bug 6: Cookie consent not persisted across subdomains User rejected cookies on www.example.com but cookies were set on blog.example.com. Fix: Use a shared consent mechanism across all subdomains.
GDPR Testing in CI/CD
Automate basic compliance checks:
test('no tracking scripts before consent', async ({ page, context }) => {
// Clear all cookies and storage
await context.clearCookies();
await page.goto('/');
// Before interacting with consent, check for tracking cookies
const cookies = await context.cookies();
const trackingCookies = cookies.filter(c =>
c.name.startsWith('_ga') ||
c.name.startsWith('_fbp') ||
c.name.startsWith('_gcl')
);
expect(trackingCookies).toHaveLength(0);
});
test('site functions after rejecting cookies', async ({ page }) => {
await page.goto('/');
await page.click('[data-testid="reject-all-cookies"]');
await page.goto('/products');
await expect(page.locator('h1')).toBeVisible();
});
Key Takeaways
- GDPR creates specific, testable requirements that QA engineers must verify
- Cookie consent must offer genuine choice — no tracking before consent and equal reject/accept options
- Data Subject Access Requests must return all personal data within 30 days in a machine-readable format
- Right to Erasure must delete data from all systems including third-party integrations
- Test the full data lifecycle: collection, storage, access, modification, export, and deletion
- Automate basic compliance checks in CI/CD to prevent regressions