More than Half of the Top VPN Providers Are Failing to Comply With GDPR’s audit of privacy policies reveals a significant lack of preparation amongst industry leading VPN providers

Leading VPN comparison website and privacy advocate has discovered that only a third of the industry’s key VPN providers are fully compliant with GDPR. audited the privacy policies of 12 of the industry’s leading providers by market share and found that only four had amended their policies to fully comply with the EU-wide data protection legislation, which came into effect today.

Researchers examined privacy statements looking at 11 different policy points. These metrics were based on the regulations and the latest advice from the UK’s Information Commissioners Office.

Of the 12 VPN providers audited, only AirVPN, Tunnelbear, Private Internet Access and Buffered had documented 90% or more of the policies required to comply with GDPR. Buffered and Private Internet Access were the only two providers to achieve a perfect score having ensured their privacy policies were fully GDPR-compliant.

ProtonVPN and Cyberghost scored a respectable 82% while VyperVPN achieved a score of 73%. ExpressVPN and IPVanish both scored 64%. NordVPN’s privacy policy was found to be the least compliant, achieving a score of only 45%.

Earlier this week, revealed that it had contacted nine market-leading VPN providers and asked them to complete a compliance audit. Only four – Tunnelbear, Cyberghost, Buffered and Private Internet Access – were fully transparent about their policies and were willing to document their processes.

“GDPR has hit business around the world like a ton of bricks,” commented Sean McGrath, editor of “Organisations have had more than two years to prepare for the new laws; yet here we are on the day or reckoning and it’s becoming increasingly apparent that the industry is woefully unprepared.

“VPNs are designed to protect our right to privacy – to enable a free and open Internet. An unfortunate by-product of this noble objective is that the industry has become shrouded in secrecy. GDPR represents a paradigm shift in the relationship between VPN providers and their customers and this should be seen as an opportunity for us to all step out of the shadows and have an open and honest discussion about the future of data privacy.”

Related Articles