GDPR Winners & Losers: 46 out of 83 VPNs FAIL to Comply with GDPR

In case you received countless emails about updated or new privacy policies from companies you never heard off, you’re not alone. May 25, 2018 was the deadline for the implementation of European Union’s General Data Protection Regulation (GDPR).

The new privacy regulation has left numerous online businesses and tech companies scrambling to update their privacy policies and terms of service. Failure to adhere to GDPR rules will result in strict consequences, with penalties amounting up to €20 million or 4% of worldwide annual revenues.

The VPN industry is infamous for lack of transparency, with numerous cases involving misuse of user’s data and recording information without their consent. However, with GDPR in place, we have much needed regulations to safeguard users’ privacy, protect their personal data, and granting them control over their information.

This brings us to our research. We analyzed the privacy policies of different VPN providers and checked whether the services met GDPR requirements. Our results revealed that 46 out 83 VPN providers failed to comply with GDPR.    

*Disclaimer: we do not intend to slander any VPN service. The aim of our research is to highlight VPN services that comply with GDPR. We will be reaching out to VPN providers that do not meet GDPR requirements and get their response.

Our Methodology

Our methodology for finding GDPR compliant VPNs is straightforward. According to GDPR, there are eight Rights of Individuals that every online business has to comply. Therefore, we analyzed the privacy policy of each VPN provider based on these eight points:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling

Providers that explained their policy based on these eight points passed our testing, while those that did not mention or explained these eight points came up short. In addition, we used a web archive tool called Wayback Machine to see the difference in privacy policies prior to the introduction of GDPR. The reason for checking previous versions of privacy policies was to show how the VPN provider has improved its transparency and incorporated GDPR elements.

Which VPN Providers Met GDPR Requirements? 

1.      NordVPN – GDPR Compliant

When we last approached NordVPN regarding its compliance with GDPR, their legal team was working towards updating the privacy policy. We are glad to report that NordVPN complies with GDPR and meets the rights of individuals.

It clearly displays the information it takes from its subscribers and what data it collects when a user uses the VPN service. Likewise, it offers a detailed look at how is this data processed after collection.

It is safe to say that NordVPN takes users privacy very seriously. The privacy policy is written in a succinct manner and covers all the aspects with respect to GDPR. This is a marked improvement from its earlier version of the privacy policy.

The snapshot taken from web archive tool shows how it has made its privacy policy more transparent. The most notable difference is in how it stores customer service data. It now offers users the right for erasure.

Previously, there was no such option and NordVPN would store customer service data for six months. We also came across new sections, such as Review and changes of your information and its stance on processing data about children.

Get all the details about NordVPN’s compliance with GDPR in its privacy policy.

2.      ExpressVPN – GDPR Compliant

When we were reviewing ExpressVPN’s privacy policy, we uncovered interesting findings. When we put ExpressVPN’s privacy policy through Wayback Machine, but we couldn’t find any difference between the snapshots taken earlier last year (December 2017).

That said, the provider met with some of the requirements of GDPR. It offers all the details about the data it collects and uses, which logs it stores and the type of cookies it uses. However, some questions remained unanswered, such as the duration for which it keeps users data and what are user’s rights as per GDPR.

Other than that, ExpressVPN complies with GDPR. Users can rest assured that their privacy will not be invaded at any cost. Likewise, users have control over the information gathered by ExpressVPN, as it will seek their consent before handling any personal information.

 Read about ExpressVPN data collection practices in its privacy policy.

3.      VyprVPN – GDPR Compliant

VyprVPN is one of the services offered by Golden Frog and falls under its parent companies privacy policy. The VPN service has updated its privacy policy to meet all the requirements of GDPR and preserves European user’s rights.

When we went through an earlier version of its privacy policy and noticed several missing elements. It provided an overview of data collection and usage, logs it kept and other information, but failed to meet GDPR requirements. There were no sections for data transfer or accessing/amending your personal data.

However, VyprVPN has come clean and with its updated privacy policy, the provider now offers more transparency to its users. One of the most notable additions includes ‘Your Rights’ section. Subscribers now have the right to delete and amend their personal data. They can also request for removal from Golden Frog’s systems.

You can read the full document in VyprVPN’s privacy policy.

4.      PureVPN – GDPR Compliant

PureVPN is a leading VPN provider in the industry and is GDPR compliant. Its privacy policy covers all the details about the data it collects, how it uses this data, what type of logs it retains, and other details regarding its service.

Based on the eight rights of individuals as per GDPR, PureVPN passes with flying colors. It complies with the right to be informed by highlighting the data it stores and the logs it keeps. Likewise, right of access and right of rectification are also present in its privacy policy, allowing its subscribers to have full control over their data.

GDPR has given PureVPN the opportunity to become as transparent and open as it can. This was apparent when we compared its current privacy policy with its older version. It has revamped its privacy policy and added more detail to existing and new sections.

In the earlier version of PureVPN’s privacy policy, there wasn’t much detail. It covered overall information about logs and cookies but failed to provide information about analytical software, URL filters, and at which stages users’ data will be recorded. Here is a screenshot of its old privacy policy:

Another interesting finding we uncovered from our research was that PureVPN has reworked its entire legal structure. It worked continuously for last six months with a team of legal experts and engineers to become as transparent as possible.   

You can check out the revamped clauses in PureVPN’s privacy policy.

5.      CyberGhost – GDPR Compliant

If you want to see a transparent and organized privacy policy that complies with GDPR, then you should check out CyberGhost. The VPN provider has updated its privacy policy from last year and added details about all the elements while including information pertinent to GDPR.

There is a marked improvement in the readability of CyberGhost’s privacy policy. You can read the document with ease and find detail about how the data is collected, used, and for how long it is retained. When we visited its previous version from last year (2017) through Web Archive, there was no disclosure of third-party tools or the rights of the user.

Check out CyberGhost’s Review and updated privacy policy for more detail.

6.      IPVanish – GDPR Compliant

IPVanish has drastically improved its privacy policy and now complies with GDPR. There is a lot more detail about the data it collects, how it uses this data, which third-party tools are running on its website and service, and provides users the right to opt out of its several services.

The earlier version of IPVanish’s privacy policy was outdated and held little information that would make the service transparent. Our comparison from Wayback Machine showed that the provider last updated its privacy policy in 2014 and continued to use it throughout the years. However, with the introduction of GDPR, IPVanish offers a clear picture to users and grants them control over their data.

You can read the updated IPVanish privacy policy for all the details.  

7.      ProtonVPN – GDPR Compliant

On paper, ProtonVPN complies with GDPR requirements and mentions most of the detail relevant to the new regulation. However, one thing that bothered us is that it operates from Switzerland and any dispute regarding the privacy policy could cause a feud due to legal jurisdiction.

That said, ProtonVPN adheres to GDPR law and defines the data it collects, how it uses, how it protects this data, and for how long it retains this data. This was a considerable improvement from its previous version of the privacy policy.

However, as per GDPR, we could not find the Rights of Access in ProtonVPN’s privacy policy; something that the service should look into and consider adding.

For more information, read ProtonVPN’s privacy policy.

8.      Windscribe – Does not comply with GDPR

The current privacy policy of Windscribe is pretty bleak. The VPN provider does not comply with GDPR laws and fails to provide any rights of an individual as per new regulation. Therefore, European users should look for Windscribe alternatives if they wish to use a service that gives them control over their personal information.

Furthermore, Windscribe’s privacy policy hasn’t been updated since 2016, suggesting it was once created at of time launch of Windscribe. To check if the policy has ever been updated, we went through earlier its versions via WayBack Machine. Much to our surprise, there was no difference at all.

You can review the outdated Windscribe privacy policy for more information.

9.      TunnelBear – GDPR Compliant

TunnelBear’s privacy policy is detailed, transparent, and meets the requirements of GDPR. It offers all the information regarding the data it collects, how it processes that data, how long it stores this data, and more.

Similarly, TunnelBear grants users the right to access their information, to change or amend their personal data, and allows them to control their information. As for the frequency of updates on TunnelBear’s privacy policy, their document was last updated on April 2017. It may seem like a long time, but the provider meets with GDPR and openly discusses all the information it takes and uses from users.

Give TunnelBear’s privacy policy a read for more detail. 

10. ZenMate VPN – GDPR Compliant

ZenMate VPN made a name in the industry as a free web browser extension, but it still needs to maintain a top-notch privacy standard. Fortunately, it complies with GDPR and provides in-depth detail based on the eight rights of individuals.

During our research, we visited ZenMate’s privacy policy from yester years. The provider has made a marked improvement and provided transparency to its subscribers. In addition to GDPR, it offers information about with respect to other platforms and tools, such as a Facebook, Google Analytics, Adwords, Twitter, and other payment merchants.

Visit ZenMate privacy policy to see how the provider meets GDPR.

11. HideIPVPN- Does not comply with GDPR

Our GDPR compliant VPN analysis indicates that HideIPVPN does not follow the above-mentioned users’ right. However, it only fulfills the first right of the user. According to its official claim, HideIPVPN does not sell its users’ data.

We were hoping that the service would comply with all the regulations of GDPR. Sadly, it was not the case. Furthermore, the privacy policy does not provide enough information to users about other rights, such as the right to rectification, right to object, right to erasure and others.

We expected from HideIPVPN that it would comply with all the requirements of GDPR compliance in near future. Moreover, the service should develop its privacy policy in accordance with GDPR regulations and other conditions. By doing so, the user would be able to trust the service.

You can explore HideIPVPN privacy policy to know about the service in detail.

 12. Buffered VPN – GDPR Compliant

Our review suggests that Buffered VPN has taken all the required steps to become one of the best GDPR compliant VPN services. The service has concisely created an exclusive FAQ section that covers all the queries related to users’ rights given by GDPR.

In order to become an efficient GDPR compliant service, Buffered has changed its internal processes. Likewise, it has altered its policies in accordance with GDPR. Thus, the provider can process all the users’ data according to GDPR requirements.

Furthermore, the provider has clearly described all the principles related to personal data processing in detail. Hence, users can assume how much transparent Buffered VPN has become when it comes to complying with GDPR regulations.

Likewise, we explored its privacy policy section and were delighted to observe that the provider has described each users’ right in detail. Thus, you can obtain relevant information about different users’ rights according to your own needs.

We contacted Buffered and asked for their official verdict about GDPR. We were glad to note that Buffered VPN has started processing its users’ personal data under strict and legal conditions. Moreover, it has also taken steps to protect the users’ data from different online threats.

In addition, Buffered VPN has changed its policies and procedures within the organization to become GDPR compliant VPN.

For more information, read Buffered VPN privacy policy.

13. GooseVPN – Does not comply with GDPR Regulations

GooseVPN has not done something extraordinary in accordance with GDPR compliance. Sadly, the service has not updated its privacy policy as per GDPR regulations. Moreover, the provider does not look in a hurry to work on GDPR guidelines in near future.

Our analysis indicates that the provider needs to work in accordance with GDPR compliance as soon as possible. Otherwise, GooseVPN may face the music in form of hefty fines and other penalties. Likewise, the service would not be able to get the attention of new users in coming future.

Read more detail about GooseVPN’s data practices in its privacy policy.

14. OVPN – Does not comply with GDPR

Our GDPR Compliant VPN analysis highlights that OVPN is following the footsteps of GooseVPN. The provider has not lived up to their users’ expectations when it comes to fulfilling GDPR. Moreover, it has not updated its privacy policy in recent past, which suggests OVPN has taken GDPR lightly.

The provider does not offer a live chat support feature. Therefore, we were unable to get the official response of OVPN about GDPR. However, we expect that OVPN will take all the necessary measures to secure itself from GDPR fines and other penalties.

You can read OVPN privacy policy to explore more about its data collection practices.

15. AceVPN – Does not comply with GDPR

Unfortunately, AceVPN has not done anything remarkable to become GDPR complaint VPN. Yes, you have read it correctly. The service does not provide enough information about users’ data collection process, their right to access their information or the right of erasure from its systems.

Moreover, it does not inform about GDPR users’ rights like the right to information, right to rectification, and so on.  Therefore, the service has to improve its performance in terms of GDPR compliance drastically.

You can read AceVPN privacy policy to know about its hidden attributes.

16. PandaPow VPN- Does not comply with GDPR

Sadly, the same applies to PandaPow VPN. Our review discloses that the service has not updated its privacy policy according to GDPR requirements. In addition, its privacy policy does not inform its users about data collection processes.

It does not describe the method by which it procures users’ data in a confidential manner. Moreover, we did not find any single clause that relates to GDPR regulations. The prevailing privacy policy does not discuss the right to erasure and right to data portability notions at all.

Likewise, we were unable to find sections like Right to object and rights related to automated decision-making including profiling too.

You can explore PandaPow privacy policy to know about its pros and cons in detail. 

17. SaferVPN- Does not comply with GDPR

SaferVPN is another VPN service not following GDPR requirements in true letter and spirit. Moreover, the current privacy policy suggests that the service does not want to make amendments according to GDPR regulations.

We explored Safer VPN 2017 privacy policy in detail to figure out the difference between its previous and existing privacy policy. However, we did not find major changes. In addition, the service has not described the implications of GDPR in its privacy policy.

Being a renowned VPN provider, SaferVPN must develop its current privacy policy as per the regulations of GDPR. By doing so, users would be able to trust the service accordingly. As a result, SaferVPN may get the attention of potential users in near future.

You can read SaferVPN privacy policy to know about the service. 

18. CELO VPN – Does not comply with GDPR

Unfortunately, the privacy policy of CELO VPN does not work in accordance with GDPR requirements. If you explore the document in detail, you will find information that relates to the right of the user that is right to be informed.

Luckily, the provider has followed Article 33 of GDPR to some extent. In case of data breach, CELO VPN will inform its users about the incident within seven business days through an email. We were hoping that the service would consider all the regulations of GDPR and revise its privacy policy accordingly.

However, it was not the case. Therefore, European users will have to opt other VPN services that offer them more clarity about the use of their personal data.

You can read CELO VPN privacy policy to find out more detail.

19. VPNArea – GDPR Compliant

Our GDPR compliant VPN review discloses that VPNArea follows GDPR regulations. We were delighted to know that the provider has deployed data protection officer to solve users’ queries instantly. Hence, you can attain awareness about your personal data processing in a timely manner.

Likewise, you can modify your personal information by using your right to rectification. Furthermore, you can remove your personal data by using right to erasure in no time.

We tried to explore major differences between its current and privacy policy through Way Back Machine. Interestingly, we were able to identify some of the key differences in terms of GDPR regulations. The service has updated its privacy policy as per GDPR requirements to another level.

Check out VPNArea’s privacy policy to evaluate its data practices.

20. PrivateVPN – Does not comply with GDPR

Our GDPR compliant VPN review reveals that PrivateVPN has a long way to go when it comes to following GDPR regulations. It has not mentioned anything about GDPR in its privacy policy. However, you will find information about data collection procedure.

Likewise, you may explore details that describe how they use personal information of their users. Still, the privacy policy should have provided enough information about users’ rights according to GDPR regulations.

We used Way Back Machine to explore its privacy policy previous version. We were unable to find much difference between its prevailing and previous policy.

You can check out the other attributes of PrivateVPN privacy policy to know more about the service straightaway.

21. ibVPN – GDPR Compliant

ibVPN complies with GDPR in the right direction. Our review unveils that the service has updated its current privacy policy according to various GDPR requirements. If you explore its privacy policy in detail, you can see right to be informed and right to rectification discussed in the document.

In case of data breach, the service is supposed to inform its users in accordance with GDPR regulations. Moreover, you can review your current information and make necessary changes as per your own terms.

To know more about privacy policy in detail, read IBVPN privacy policy document.

22. Private Internet Access (PIA) – GDPR Compliant

Private Internet Access (PIA) allows its European users to avail the service according to their own terms. This is because the provider follows all the notions of GDPR in true letter and spirit. Therefore, you can get information about your data collection procedure.

Furthermore, you can use right to access and other users’ rights described in GDPR hassle-free. Similarly, you can opt right to rectification and right to erasure to update or remove your personal information instantly.

The service has updated its privacy policy and included all the requirements of GDPR in a detailed manner. Therefore, you can be sure about the usage or processing of personal information to next level. Hence, European users can use the service in compliance with GDPR regulations stress-free.

You can read Private Internet Access privacy policy to know about the service. 

23. Ivacy – GDPR Compliant

Ivacy is another VPN service is following GDPR regulations. The current privacy policy explains data collection procedure to its users in detail. Likewise, you can get awareness about how the service is taking precautionary measures to secure your personal information.

We contacted its customer support to know if Ivacy is complying with GDPR or not. According to its official response, the provider is a GDPR compliant. You can explore its data protection rights section to find out how much Ivacy is abiding by GDPR requirements.

You can read Ivacy privacy policy to explore more details.

Other VPN Winners & Losers: Do They Meet GDPR Requirements?

24. AstrillVPN: GDPR Compliant
25. SurfEasy: Does not comply with GDPR
26. TorGuard: GDPR Compliant
27. VPN Unlimited: Does not comply with GDPR
28. Avast VPN: GDPR Compliant
29. TigerVPN: GDPR Compliant
30. AirVPN: GDPR Compliant
31. Zoog VPN: Does not comply with GDPR
32. StrongVPN: GDPR Compliant
33. Avira Phantom VPN: GDPR Compliant
34. AnonVPN: VPN is no longer active
35. Betternet: GDPR Complaint
36. BolehVPN: Does not comply with GDPR
37. CrypticVPN: Does not comply with GDPR
38. FinchVPN: Does not comply with GDPR
39. FrootVPN: Does not comply with GDPR
40. Ghost Path VPN: Does not comply with GDPR
41. Hola VPN: Offer GDPR rights to EU residents
42. Incognito VPN: Does not comply with GDPR
43. Ironsocket: GDPR Compliant
44. Mullvad: GDPR Compliant
45. IntelliVPN: GDPR Compliant
46. LibertyVPN: Does not comply with GDPR
47. Private Tunnel: GDPR Compliant
48. RootVPN: Does not comply with GDPR
49. Hotspot Shield: GDPR Compliant
50. HideMyAss: Does not comply with GDPR
51. LeVPN: GDPR Compliant
52. FrostVPN: Does not comply with GDPR
53. blackVPN: Does not comply with GDPR
54. CactusVPN: GDPR Compliant
55. BTGuard: Does not comply with GDPR
56. EarthVPN: Does not comply with GDPR
57. BeeVPN: (no privacy policy) Does not comply with GDPR
58. LiquidVPN: Does not comply with GDPR
59. nVPN: Does not comply with GDPR
60. GoTrusted VPN: Does not comply with GDPR
61. HotVPN: Does not comply with GDPR
62. Faceless.ME: Does not comply with GDPR
63. SecurityKISS VPN: Does not comply with GDPR
64. OctaneVPN: Partially Complies with GDPR
65. OverPlay: Complies with GDPR
66. RA4W VPN: Does not comply with GDPR
67. OneVPN: Does not comply with GDPR
68. VPN Baron: Complies with GDPR
69. WorldVPN: Does not comply with GDPR
70. WiTopia (PersonalVPN): Complies with GDPR
71. Trust.Zone: Does not comply with GDPR
72. SlickVPN: Does not comply with GDPR
73. TotalVPN: Does not comply with GDPR
74. Anonymous VPN: Does not comply with GDPR
75. ActiVPN: GDPR Compliant
76. Encrypt.me: GDPR Compliant
77. ChillGlobal: Does not comply with GDPR
78. FlowVPN: Does not comply with GDPR
79. ChillGlobal VPN: Does not comply with GDPR
80. VPN.cc: Does not comply with GDPR
81. VPN Land: partially complies with GDPR
82. VPN.asia: Does not comply with GDPR
83. UnoTelly: Does not comply with GDPR

A Detailed Look at GDPR Compliance Points

What is GDPR?

GDPR (General Data Protection Regulation) is a set of rules that allows EU users to control their personal information. Moreover, it provides a simplified regulatory framework to businesses and netizens in the European Union. As a result, both businesses and individuals can take huge benefits from the digital economy while preserving each other’s privacy.

Here are the eight rights of individuals explained in detail:

The right to be informed

The right to be informed highlights the importance of information transparency. You can attain awareness about the use of your personal data in the right direction.

The right of access

The users may assume right of access as subject access that enables users in attaining a copy of their personal data. Hence, they can understand how and why you are using their data. Likewise, they can check if you are using their data lawfully or not.

The right to rectification

According to Article 16 of GDPR, users can rectify their incomplete or inaccurate data hassle-free. Thus, you can complete your incomplete data still it depends on the purposes of the processing.

The right to erasure

Article 17 of GDPR allows users to remove their personal data anytime from anywhere. However, the said rule only applies in specific situations.

The right to restrict processing

According to the right to restrict processing, users can exercise their right to restrict the processing of their personal information.  Thus, you can ask organizations to limit the use of your personal data.

The right to data portability

The right to data portability enables the users to receive their personal data in machine-readable format. Moreover, you can transfer your data from one controller to another controller.

The right to object

Article 21 of GDPR provides users right to object to the processing of their personal data. This way, you can ask organizations to stop processing and using your data.

Rights in accordance with automated decision making and profiling

According to Article 22 of GDPR, you can perform automated decisions in specific situations only. Furthermore, you have to give information to users about the processing of their personal data.

What does this mean for the VPN Industry

Our GDPR compliant VPN research indicates that VPN industry is fully up to speed with GDPR requirements. There are different VPN services who have abided by GDRP regulations appropriately. Likewise, numerous online privacy providers have not made significant changes in their policies.

Therefore, European users should consider opting VPN services those comply with the GDPR guidelines. By doing so, they can attain more control over their personal data. If you avail a VPN service that does not comply with GDPR regulations, you may not be able to gain control over your personal information.

According to GDPR guidelines, VPN services are obliged to communicate with their subscribers in a transparent manner. If they are unable to do so, chances are that they may face penalties or hefty fines. These sanctions may hamper their future growth or expansion in the future.

Credit: This research was done in collaboration with Salmi (author).