https://www.vg.no/
Severe privacy issues requiring immediate attention
25
Trackers Found
3
Cookies
107
Network Requests
6.4s
Load Time
VG.no has sophisticated tracking infrastructure but commits two critical GDPR violations that create immediate regulatory risk. The site places tracking cookies before users can consent and forces consent by hiding the reject option, both explicitly prohibited under current EU law. While VG has invested in proper consent management technology (Sourcepoint, IAB TCF v2), the current configuration prioritizes ad revenue over legal compliance.
Critical Actions:
Detail
Found 3 tracking cookie(s) and 0 tracking request(s) BEFORE any consent interaction. This is the most common GDPR violation.
Remediation
Configure your consent management platform to block ALL tracking cookies until after the user makes a choice. Ensure Google Analytics, advertising pixels, and social media trackers only load after 'accept'.
Legal Reference
GDPR Art. 6, ePrivacy Directive Art. 5(3), Planet49 ruling
Raw Data
{
"tracking_cookies_before_consent": 3,
"tracking_requests_before_consent": 0
}Detail
The consent banner has no visible 'reject' or 'decline' button. Under GDPR, rejecting cookies must be as easy as accepting them.
Remediation
Add a prominent 'Reject All' button that's equally visible to 'Accept All'. Configure your Sourcepoint CMP to provide this option and ensure all tracking stops when users reject.
Legal Reference
GDPR Art. 7, EDPB Guidelines 05/2020 on consent
Raw Data
{
"reject_button_found": false
}Detail
Found TCF/CMP API (IAB) in inline JavaScript.
Remediation
Ensure your TCF implementation properly blocks advertising trackers when users decline advertising consent. Regularly audit that consent choices are respected by all advertising partners.
Legal Reference
GDPR Art. 6, ePrivacy Directive Art. 5(3)
Raw Data
{
"vendor": "IAB",
"category": "consent",
"tracker_id": "",
"tracker_name": "TCF/CMP API",
"pattern_matched": "__tcfapi|__cmp\\(",
"detection_method": "inline_pattern"
}Detail
Found IAB TCF v2 (IAB) in inline JavaScript.
Remediation
Verify that your TCF v2 setup correctly blocks all advertising cookies and tracking when users decline. Test that consent strings are properly passed to prevent unauthorized data collection.
Legal Reference
GDPR Art. 6, GDPR Art. 13
Raw Data
{
"vendor": "IAB",
"category": "consent",
"tracker_id": "",
"tracker_name": "IAB TCF v2",
"pattern_matched": "euconsent|tcData",
"detection_method": "inline_pattern"
}Detail
Found Sourcepoint CMP (Sourcepoint) in inline JavaScript. Tracker ID: 2026.
Remediation
Ensure your Sourcepoint configuration blocks all tracking before consent and provides equal prominence to 'accept' and 'reject' options. Review your CMP settings regularly.
Legal Reference
GDPR Art. 7
Raw Data
{
"vendor": "Sourcepoint",
"category": "consent",
"tracker_id": "2026",
"tracker_name": "Sourcepoint CMP",
"pattern_matched": "cdn\\.privacy-mgmt\\.com|sourcepoint\\.com",
"detection_method": "inline_pattern"
}Detail
Cookie consent banner powered by Custom consent banner (Custom) is present on the page.
Remediation
Review your custom consent banner to ensure it meets GDPR requirements: clear language, equal prominence for accept/reject, and no pre-selected options for non-essential cookies.
Legal Reference
GDPR Art. 7, Planet49 ruling
Raw Data
{
"cmp": "Custom consent banner",
"vendor": "Custom"
}Detail
2 request(s) to log.medietall.no (unknown) — PII detected: uid (URL parameter).
Remediation
Review the data processing agreement with Medietall analytics service. Ensure consent is obtained before sending any user identifiers. Consider switching to privacy-friendly analytics like Plausible or self-hosted Matomo.
Legal Reference
GDPR Art. 6, Art. 28
Raw Data
{
"domain": "log.medietall.no",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://log.medietall.no/analytics.v2.js",
"https://log.medietall.no/?i=607d77e46bf6b242026472c2&l=p&u=https%3A%2F%2Fwww.vg.no%2F&c=desktop&ptp=frontpage&psn=&sbs=&ul=&sbid=&r=_&lcid=na&uid=OOKX0yKqOdibG9pp&ns=1&_h=pageView&_s=js&_l=DOMContentL"
],
"pii_detected": [
"uid (URL parameter)"
],
"request_count": 2,
"resource_types": [
"ping",
"script"
]
}Detail
First-party cookie from vg.no, expires: 13 days, purpose: Unrecognized cookie.
Remediation
Document the purpose of this cookie in your privacy policy and cookie banner. Ensure it's properly categorized (functional, analytics, marketing).
Legal Reference
GDPR Art. 13
Raw Data
{
"expiry": "13 days",
"secure": true,
"vendor": "unknown",
"purpose": "unknown",
"http_only": false,
"same_site": "Strict",
"cookie_name": "clientBucket",
"cookie_domain": "vg.no",
"is_long_lived": false,
"is_third_party": false
}Detail
First-party cookie from vg.no, expires: 12 months, purpose: Unrecognized cookie.
Remediation
Identify the purpose of this cookie and document it in your privacy policy. Add Secure flag and consider reducing expiry time. Remove if not necessary.
Legal Reference
GDPR Art. 13
Raw Data
{
"expiry": "12 months",
"secure": false,
"vendor": "unknown",
"purpose": "unknown",
"http_only": false,
"same_site": "Strict",
"cookie_name": "__mbl",
"cookie_domain": "vg.no",
"is_long_lived": false,
"is_third_party": false
}Detail
7 request(s) to akamai.vgc.no (unknown).
Remediation
Review if access tokens in image URLs contain personal data. If so, ensure proper data processing agreements are in place with Akamai CDN services.
Raw Data
{
"domain": "akamai.vgc.no",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://akamai.vgc.no/users/schibsted/images/147107514.jpg?t[strip]=1&t[crop][x]=511&t[crop][y]=0&t[crop][width]=1468&t[crop][height]=1333&t[resize][width]=734&accessToken=a057d6d12a1fb7db6a8493c02ab0",
"https://akamai.vgc.no/users/schibsted/images/147100526.jpg?t[strip]=1&t[crop][x]=7&t[crop][y]=363&t[crop][width]=1960&t[crop][height]=919&t[resize][width]=734&accessToken=2e28785fd746315c30521f9f385bd",
"https://akamai.vgc.no/users/schibsted/images/147106622.jpg?t[strip]=1&t[crop][x]=92&t[crop][y]=238&t[crop][width]=1633&t[crop][height]=552&t[resize][width]=734&accessToken=307bd99c4d0ef184c3bfe8223ba2",
"https://akamai.vgc.no/users/schibsted/images/147113680.jpg?t[strip]=1&t[crop][x]=517&t[crop][y]=0&t[crop][width]=1074&t[crop][height]=1415&t[resize][width]=239&accessToken=b436c5852adb0e2d7aaa218e10a8",
"https://akamai.vgc.no/users/schibsted/images/147066495.jpg?t[strip]=1&t[crop][x]=79&t[crop][y]=16&t[crop][width]=321&t[crop][height]=199&t[resize][width]=359&accessToken=e99a4ba1812595f028850399f294a5"
],
"pii_detected": [],
"request_count": 7,
"resource_types": [
"image"
]
}Detail
1 request(s) to cogwheel.inventory.schibsted.io (unknown).
Remediation
This appears to be part of your consent management platform - ensure it's properly configured to block other trackers until consent is given.
Raw Data
{
"domain": "cogwheel.inventory.schibsted.io",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://cogwheel.inventory.schibsted.io/prod/latest/gdpr-bundle.js"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"script"
]
}Detail
1 request(s) to adsdk.microsoft.com (unknown).
Remediation
Verify if this script is necessary. If used for advertising, ensure explicit consent is obtained before the script loads. Consider removing if not actively used.
Legal Reference
ePrivacy Directive Art. 5(3)
Raw Data
{
"domain": "adsdk.microsoft.com",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://adsdk.microsoft.com/ast/ast.js"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"script"
]
}Detail
1 request(s) to vgc.no (unknown).
Remediation
No action needed - this is legitimate functionality for your media content.
Raw Data
{
"domain": "vgc.no",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://vgc.no/player/player.next.min.bundled-latest.js"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"script"
]
}Detail
1 request(s) to sdkconfig.pulse.schibsted.io (unknown).
Remediation
Ensure this analytics service has proper consent controls and data processing agreements in place within the Schibsted group.
Legal Reference
GDPR Art. 28
Raw Data
{
"domain": "sdkconfig.pulse.schibsted.io",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://sdkconfig.pulse.schibsted.io/js/config.json"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"fetch"
]
}Detail
2 request(s) to fonts.googleapis.com (Web font delivery).
Remediation
Same as Google Fonts stylesheets - self-host these font files to prevent Google tracking.
Legal Reference
Munich Regional Court (Jan 2022)
Raw Data
{
"domain": "fonts.googleapis.com",
"vendor": "Google",
"purpose": "Web font delivery",
"sample_urls": [
"https://fonts.googleapis.com/css?family=Roboto:400,500&display=swap",
"https://fonts.googleapis.com/css?family=Inter:400,600&display=swap"
],
"pii_detected": [],
"request_count": 2,
"resource_types": [
"stylesheet"
]
}Raw Data
{
"domain": "fonts.gstatic.com",
"vendor": "Google",
"purpose": "Web font file delivery",
"sample_urls": [
"https://fonts.gstatic.com/s/inter/v20/UcC73FwrK3iLTeHuS_nVMrMxCp50SjIa1ZL7.woff2",
"https://fonts.gstatic.com/s/schibstedgrotesk/v3/Jqz55SSPQuCQF3t8uOwiUL-taUTtap9GayojdSFO.woff2",
"https://fonts.gstatic.com/s/schibstedgrotesk/v3/Jqz55SSPQuCQF3t8uOwiUL-taUTtap9GayojdSFO.woff2"
],
"pii_detected": [],
"request_count": 3,
"resource_types": [
"font"
]
}Detail
1 request(s) to ads.inventory.schibsted.io (unknown).
Remediation
Ensure this advertising system only loads after obtaining explicit consent for marketing cookies and tracking.
Legal Reference
ePrivacy Directive Art. 5(3)
Raw Data
{
"domain": "ads.inventory.schibsted.io",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://ads.inventory.schibsted.io/ad-service/ad-banner-sponsor-advertisement/ad.js"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"script"
]
}Detail
4 request(s) to static.privacy.schibsted.com (unknown).
Remediation
No action needed - these are legitimate privacy management interface elements.
Raw Data
{
"domain": "static.privacy.schibsted.com",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://static.privacy.schibsted.com/cmp/brands/none.svg",
"https://static.privacy.schibsted.com/cmp/brands/VG.svg",
"https://static.privacy.schibsted.com/cmp/schibsted_logo_primary_20231017.svg",
"https://static.privacy.schibsted.com/cmp/chevron_down_20231017.svg"
],
"pii_detected": [],
"request_count": 4,
"resource_types": [
"image"
]
}Detail
1 request(s) to time.akamai.com (unknown).
Remediation
Verify if this service processes any personal data. Consider if local time handling could replace this external dependency.
Raw Data
{
"domain": "time.akamai.com",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://time.akamai.com/"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"fetch"
]
}Detail
1 request(s) to cdn.stream.schibsted.media (unknown).
Remediation
No action needed - this is legitimate media delivery infrastructure within your group.
Raw Data
{
"domain": "cdn.stream.schibsted.media",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://cdn.stream.schibsted.media/jw/jwplayer-8.34.5/jwplayer.js"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"script"
]
}Detail
1 request(s) to session-service.payment.schibsted.no (unknown).
Remediation
Ensure this service has appropriate data processing agreements within Schibsted group and only processes necessary authentication data.
Legal Reference
GDPR Art. 28
Raw Data
{
"domain": "session-service.payment.schibsted.no",
"vendor": null,
"purpose": "unknown",
"sample_urls": [
"https://session-service.payment.schibsted.no/user-context?client_sdrn=sdrn%3Aspid.no%3Aclient%3A4ef1cfb0e962dd2e0d8d0000&sdk_version=5.2.6"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"fetch"
]
}Detail
Found Sentry (Sentry) in inline JavaScript.
Remediation
Review your Sentry configuration to ensure it's not capturing personal data in error logs. Consider self-hosting Sentry or switching to a EU-based error monitoring service like LogRocket EU or Rollbar with EU data residency.
Legal Reference
GDPR Art. 44-49 (international transfers)
Raw Data
{
"vendor": "Sentry",
"category": "analytics",
"tracker_id": "",
"tracker_name": "Sentry",
"pattern_matched": "sentry\\.io|Sentry\\.init",
"detection_method": "inline_pattern"
}Detail
First-party cookie from vg.no, expires: 12 months, purpose: Snowplow analytics tracking cookies.. Vendor: Snowplow.
Remediation
Ensure this Snowplow cookie is only set after obtaining valid consent through your consent banner. Consider shortening the 12-month expiry to a more proportionate timeframe like 3-6 months. Verify that Snowplow data processing stays within the EU or has adequate transfer safeguards.
Legal Reference
ePrivacy Directive Art. 5(3), GDPR Art. 6
Raw Data
{
"expiry": "12 months",
"secure": true,
"vendor": "Snowplow",
"purpose": "analytics",
"http_only": false,
"same_site": "None",
"cookie_name": "_sp_su",
"cookie_domain": "vg.no",
"is_long_lived": false,
"is_third_party": false
}Detail
1 request(s) to schibsted-cdn.relevant-digital.com (Nordic header bidding and yield management).
Remediation
Verify that header bidding only activates after visitor consent. Audit which ad exchanges receive visitor data through this system. Consider implementing server-side header bidding to reduce client-side tracking.
Legal Reference
GDPR Art. 6 (lawful basis), GDPR Art. 13 (transparency about data sharing)
Raw Data
{
"domain": "schibsted-cdn.relevant-digital.com",
"vendor": "Relevant Digital",
"purpose": "Nordic header bidding and yield management",
"sample_urls": [
"https://schibsted-cdn.relevant-digital.com/static/tags/6316fce35aea87bd62e92853.js"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"script"
]
}Detail
1 request(s) to ib.adnxs.com (Programmatic ad serving and user syncing).
Remediation
Ensure AppNexus tracking only starts after explicit consent. Review your ad tech stack to minimize third-party data sharing. Consider contextual advertising that doesn't require behavioral tracking as an alternative.
Legal Reference
GDPR Art. 6 (lawful basis), ePrivacy Directive Art. 5(3) (consent for tracking)
Raw Data
{
"domain": "ib.adnxs.com",
"vendor": "AppNexus (Xandr/Microsoft)",
"purpose": "Programmatic ad serving and user syncing",
"sample_urls": [
"https://ib.adnxs.com/"
],
"pii_detected": [],
"request_count": 1,
"resource_types": [
"fetch"
]
}