Website Evidence Collector (WEC) & WEC Online
The EU institutions' supervisor built a website-inspection tool for its own audits — and released it open source. It visits a site like a first-time user and captures the evidence a regulator would: every cookie set, HTML5 local storage, third-party requests, trackers flagged against the EasyPrivacy filter list, page screenshots and the full HTTP traffic log — in human- and machine-readable form (HTML + YAML), with no third-party cloud service involved.
- Published by
- European Data Protection Supervisor (EDPS)
- Type
- Open-source software tool — command-line tool (WEC) + self-hostable web application (WEC Online)
- Jurisdiction
- EU (EDPS) — usable anywhere; directly relevant to UK PECR / ePrivacy evidence
- Primary audience
- Privacy and web teams with technical support (for the no-code route, see the EDPB Website Auditing Tool)
- Topic tags
- cookies & tracking · PECR / ePrivacy · audit evidence · accountability · transparency
- Availability
- Free, open source (EUPL-1.2) on code.europa.eu. WEC runs via Node.js or a container image; WEC Online deploys centrally so non-technical colleagues can use it through a browser. First developed 2018.
Why it matters
The commercial ground under cookie compliance has shifted. The Data (Use and Access) Act 2025 raised the maximum PECR penalty from £500,000 to £17.5m or 4% of global annual turnover — UK GDPR-level exposure, in force since 5 February 2026 — and the ICO has an active programme covering the UK's top 1,000 websites. Yet most organisations' evidence of what their site actually sets is a vendor CMP scan or an ad hoc DevTools session: point-in-time, and not built to be re-run and diffed as an evidence trail. The WEC closes that gap. It produces reproducible, timestamped evidence of cookies, trackers and third-party transfers — the factual record that underpins a defensible PECR regulation 6 consent position and answers the UK GDPR Article 5(2) accountability question of how you know your public estate does what your notices say. Run it before launch and on a cadence; the YAML output is machine-readable, so successive runs can be diffed for drift. A note on accessibility: the command-line tool assumes technical comfort, and WEC Online needs a one-off deployment by IT before non-technical users get its browser interface. If that rules it out, the EDPB Website Auditing Tool is the point-and-click alternative — and it can import and evaluate WEC evidence, so the two work as a pair. This is the same class of tooling the supervisory side uses — the EDPS built it for its own inspections — and it stays under the radar because it lives on code.europa.eu rather than any marketing channel.
