It is every compliance professional’s worst nightmare—a notice of an action being brought against their organization. It could come from a regulator providing notice of an alleged regulatory violation, or increasingly, it could come from a private right of action alleging a breach of consumer protection law. In either case, an investigation will be underway and there will be legal bills to pay. A prominent area of risk for organizations is data collection via third-party marketing and analytics platforms on websites. These platforms, and their pixels or tags responsible for the data collection on sites, have been an increasing source of global compliance scrutiny and legal challenges.
When an action is brought concerning advertising data collection and usage, there are two types of organizations. First, there are those that will say they have policies and processes in place but will need to reactively launch an investigation to verify privacy controls are being maintained in practice. And second, there are those that will have policies and processes in place and already have a system in place to proactively document and demonstrate compliance principles are being followed. In today’s privacy environment, it is important to be the latter type of organization. Organizations need to create and maintain a defensible position for all marketing and advertising data collection.
Policy & Process
A defensible position for compliant usage of consumer data for advertising begins with the definition of policies by legal and privacy teams. Policies should be defined to establish the company’s risk tolerance and what is permissible for data collection and usage with marketing and advertising platforms. All new platforms that marketing brings to the table need to be reviewed for risk up-front with compliance requirements defined. Things like what data is allowed to be collected, how it is allowed to be used, and how collection/processing behavior should change depending upon the consumer’s consent choice, all need to be considered. All of this information must be documented and used to inform privacy components such as disclosures and access and deletion requirements.
Once clear compliance policies are defined, with the resulting documentation in place, a strategy for a defensible position can be established. The next step is implementing processes to support policy application in practice. For marketing and advertising data collection via tags, this means processes for reviews, approval, and documentation of new platforms as well as new instances of platforms to be added to a site. It also means processes for ongoing reviews as the privacy landscape evolves. Process strategically adds friction to review and implementation workflows to ensure compliance with applicable laws and regulations.
Monitoring for a Defensible Position
Policies and the processes to support them provide a great plan. But as the idiom goes, “the best laid plans of mice and men often go awry”. A system for ongoing monitoring is necessary to proactively identify where data collection in practice diverges from the privacy policies in place. Concurrently, ongoing monitoring provides documentation of privacy controls for data collection and processing being adhered to to demonstrate a defensible position for an organization. This is especially important in the United States, where a number of consumer privacy laws carry a private right of action and litigious law firms can bring actions against an organization. These actions are increasingly targeting data collection practices for advertising use cases under such laws as the California Invasion of Privacy Act and the Video Privacy Protection Act. Even for organizations doing everything right, without records to demonstrate compliance, these legal challenges can be expensive and an operational headache.
Visibility for Server-side Tag Management
Evolving best practices in data collection architecture are making the challenge of documenting a defensible position more difficult. In response to third-party cookie deprecation and the relative increase in the value of first-party data, many organizations are adopting server-side tag management. With this approach, data distribution is moved from a user’s browser to an advertiser-owned server environment. Server-side tag management can confer many benefits related to the control of data, including compliance benefits, but at the same time makes data flows opaque and is much more technical in operation. As a result, privacy teams need to maintain visibility into data collection activities in the live environment with tools such as Tag Inspector’s server-side tag monitoring functionality.
A website is a primary source of consumer data collection for any organization. The compliance risks inherent in the distribution of this data to marketing and advertising platforms must be addressed through effective policies and processes. But this is not enough. Privacy policies must be monitored in practice, creating documented proof of compliant data collection and tag behavior. Only once a defensible position for compliance is implemented and monitored can compliance risks truly be mitigated.