Data Privacy – Why Consent does not equal Compliance

It can be surprisingly hard to keep up with the ever-evolving legal landscape when it comes to data protection. Even if you think you’ve got all your bases covered, there are often subtle nuances that you may have overlooked. One of the most significant of these is the use of third-party tags. In this article, we’ll explore the risks businesses face when using third-party tags, the potential violations they may be unknowingly committing, and what you need to do to stay compliant.

Data Privacy – Why Consent does not equal Compliance

The Current State of Affairs

Balancing the use of third-party tags with regulatory compliance has always been a challenge, but given current indications, is getting a lot tougher. In the last few years, we’ve seen an increase in companies being fined for violations of privacy laws such as the General Data Protection Regulation – an increase of 40 per cent between 2020 and 2021.

In fact, more than €1.7bn in fines have been handed out under the GDPR alone since 2018, with companies such as Grindr, H&M, Marriott, Sephora and Saga being some of the biggest offenders. And things aren’t looking good for the future either. While many of the aforementioned companies have learned their lesson from their individual violations, the fact is that the failures that got them there remain commonplace in the wider industry. Read also Top 10 GDPR Fines in 2022

Why and How Consent Doesn’t Equate to Compliance

Consent models are a serious blind spot for brands online. Many approach the issue of privacy in the same way, assuming that obtaining user permission is enough to ensure their compliance. But nothing could be further from the truth. Research and data show that organizations leak an alarmingly large amount of sensitive data without even realizing it, ultimately opening their risk to hefty fines and penalties.

Let’s take a closer look at how it happens and why it’s a problem for remaining compliant with major regulations.

Poor Use of a Consent Management Platforms

While Consent Management Platforms (CMP) are undoubtedly helpful in the challenge of obtaining and organizing data sharing permissions, too many companies see and implement them as an out-of-the-box solution. Analysis shows that 88% of the 91% of EU advertisers who use a Consent Manager share user data to third parties before actually acquiring the permission to do so. Many fail to properly integrate their systems across enterprise architectures and legacy technologies that contain personal data. In short, there’s a clear problem on the implementation side of things; today’s organizations simply aren’t doing enough to ensure their CMPs are actually helping them stay compliant.

‘Piggybacking’

‘Piggybacking’ is a term used in the world of data privacy to describe the use of unauthorized cookies and tags that collect data from websites without the advertisers permission. It is, unfortunately, an incredibly common occurrence – just one recent example being 427 unauthorized tags activated by a single UK publisher’s website.

The implications of piggybacking are far-reaching. Not only does it result in unconsented information being shared frivolously online, but it also leads to an increase in malicious activity. Cyber attackers, for example, feed off of piggybacked data to launch targeted attacks and fraud activity.

The presence of piggybacking is made worse by the fact that many organizations don’t have sufficient visibility over their own data sharing activities, leaving them unaware of when they are participating in such practices. European advertisers in particular are at a heightened risk, as the European Data Protection Board has indicated that they may be held jointly liable for the wrongful collection and use of private information by connected third parties.

Data Resellers

Data resellers are another risk worth noting when it comes to potential privacy infringements. Many advertisers today use third-party data suppliers in order to gain insights into their customers, often unaware that these companies have resold or shared the data across other channels. With so many companies already passing information along before consent if confirmed, it’s only logical to assume that the same problem is occurring within reselling networks and other data sharing agreements.

The truth of the matter is that not all companies are as transparent as they should be about the data collection and use practices of their partners. This means that organizations of all sizes could be participating in activities without realizing it, and unknowingly putting themselves at risk for major fines.

The truth is, many of the data resellers out there lack both robust security measures and proper consent models for collecting and using customer information – leading to a massive security risk for the organizations who are using their services.

Enhancing Compliance In Today’s Complex Regulatory Landscape

As privacy regulations become more stringent, businesses must take it upon themselves to ensure they are staying current in their compliance practices. The following are a few suggestions for companies to consider in order to remain compliant with major regulations:

Always-On Compliance Monitoring

Always-on compliance monitoring is the key to achieving a high level of privacy protection. Companies should look for solutions that provide real-time monitoring and alerting when data is shared without consent. This should include the ability to detect third-party data resellers, as well as any piggybacking activities that occur on a website.

Educate Your Employees

Data privacy is a team effort, not just something that the IT departments need to worry about. All employees should be trained on the basics of data protection and made aware of their responsibilities in keeping customer information safe. In addition, organizations should ensure their employees are knowledgeable about their country’s data regulations and use this information to guide their data handling practices.

Understand Your Media Supply Chain

The most straightforward thing you can do to stay on top of your business’ privacy compliance is to know who is handling your data and what they are doing with it. This means having a handle on who has access to customer information, as well as any third-party companies that are sharing or reselling the data. With this knowledge, you can take decisive action to reduce compliance risk and maintain your business’ reputation.

Build a Portfolio of Privacy-Safe Solutions

The consensus among industry experts seems to be clear – among an increasingly stringent landscape of regulations, cookies are on their way out. Companies need to start thinking about how they will replace these tools in order to maintain the same level of customer insights. Alternatives like first-party data IDs, publisher provided IDs, contextual advertising, and server-side solutions are all viable options for businesses to consider.

While today’s data privacy landscape is certainly complex, it isn’t completely unnavigable. By assessing their data privacy practices and investing in technology that can offer better transparency and control, organizations can significantly reduce their risk of non-compliance and ensure they’re prepared to tackle the future of online privacy head-on.