Advertising technology platforms pose a unique risk for compliance due to the data they collect, purposes for processing, and the ways in which platforms can be configured to limit (or enable) those processing purposes. To start, every advertising technology is collecting data. This data would be considered personal data or personal information under all laws and regulations around the world. At minimum, they will collect a device identifier used to analyze consumer behavior.
These device identifiers are combined with behavior information for users both on the website itself as well as broader behavioral information that advertising platforms have collected about that user from other sources. Where it gets complicated is that many advertising platforms can be configured to only use this personal information and behavioral data for measurement purposes, or for purposes of both measurement and profile creation for targeting. This complexity of configuration can make it hard for privacy professionals to fully understand what advertising platforms are being used for. This information can then help them with compliance issues like consumer disclosure and the consent architecture.
As an example, let’s examine a very common platform that many organizations use, and many privacy teams don’t often consider an “advertising platform”: Google Analytics.
Google Analytics (GA), as the name implies, is used by many companies for web analytics purposes to understand how consumers are interacting with their website(s). Out of the box, GA will set and collect a unique device identifier for each visitor to a website on which the platform is implemented. This identifier is associated with any user interactions tracked, pages viewed, etc. Personal information / personal data is being processed, requiring privacy compliance considerations under relevant laws and regulations.
But what are privacy compliance considerations? And how does this relate to broader advertising platform risk? Let’s review some of the most common privacy compliance requirements in global regulations to further examine the risks posed by advertising platforms.
United States Privacy Laws
U.S. State comprehensive privacy laws provide a patchwork of compliance requirements for organizations operating across the United States. While specific details may vary from one state to another, there are some common considerations to look for as it relates to privacy compliance and advertising platforms.
Consideration: “Service Provider” / “Processor” vs “Third Party” Designation
The designation of a third-party advertising vendor as a “service provider” (CCPA) / “processor” (VCDPA) or a “third party” has a significant impact on the compliance considerations that must be taken into account. A “service provider” (or “processor”) is generally an entity that processes personal information on behalf of the contracting business. This means they do not retain, use, or disclose the personal information provided to them for any purpose other than to perform services on behalf of the controller (the organization whose website data is being collected from) as specified in their contract with the controller.
This distinction is very important. Often, the simple disclosure of personal information to a “third party” (i.e. sending data to the advertising vendor) will trigger requirements for consumer choice, risk assessments, and consumer notice. Due to the nature of advertising platforms, most will fall within the “third-party” designation. As if this isn’t complicated enough, the designation can depend upon how the platform is configured and if settings for restricted data processing are applied.
To illustrate this, we can review the configuration for Google Analytics. When initially creating a Google Analytics Account, on the first configuration screen, users are presented with a set of Data Sharing Settings.
All but one option is selected by default, with the one requiring user confirmation being sharing data with Google for “Google products & services”. This seems pretty innocuous, and many organizations will choose to share their GA data for this purpose. But this setting is critical for GA to be operating in “restricted data processing” mode and thus be considered a “service provider” or “processor” for privacy compliance purposes. Ticking that box will make GA a “third party” and trigger additional compliance obligations, including requiring the stopping of sending of data to GA (blocking the GA tag on the website from loading) upon user opt-out. This user choice consideration is due to U.S. State law requirements for user choice in the sharing and/or selling of their personal information.
Consideration: Sale/Share of Personal Information
User choice in U.S. State comprehensive privacy laws mostly focus on explicit consent requirements for the collection and processing of sensitive and children’s data as well as user choice requirements to allow all consumers to opt out of the sale and/or sharing of their personal information. For advertising platforms, which often have their own restrictions on an organization sending them child or sensitive information, we’re primarily interested in the implications for opt-out of sale/share and targeted advertising.
Different states’ laws have different definitions for “sale” and “sharing” of data, but for our purposes here, we can generally say that any disclosure of personal information to a third party for personalized advertising (targeting a user across the web with advertising informed by behavioral information of that user collected from a separate website, including the advertiser’s own) will fall within these definitions.
This is exactly what most advertising technologies loading on a website facilitate. They collect behavior information from visitors and use that to either directly target those same users on other sites via retargeting or use the information to inform profiles for those users and then target advertising to them as part of a common cohort. This fact requires advertising platforms on a website to be configured to respect this user choice, either via stopping all data disclosure (collection) via those platforms or configuring restricted data processing such that the platform will only process any personal information received strictly for measurement purposes.
In addition to user choice requirements, various laws also place specific consumer notice obligations related to details about the sale and sharing of their personal information. An organization that discloses one thing to a user, such as a statement that they do not sell or share their personal information or a statement that they respect consumer opt-out for targeted advertising, but then do not, can open up additional compliance risks for the organization.
Consideration: Consumer Misrepresentation
Scenarios where an organization will represent to their website visitors that they are treating personal information in a certain way, and then do not, are increasingly being prosecuted under consumer protection laws in the United States. Take the example provided above, where a website states in their privacy notice to website visitors that their personal information will never be sold or shared. If that same website has advertising platforms loading and collecting user behavior, guess what? They are at minimum “sharing” that data per the definitions in U.S. privacy laws! Likewise, take an example where a user is provided the ability to opt out of the sale/share of their personal information for targeted advertising. Upon the user’s indication of opting out, if the website continues to disclose their data via advertising tags loading on the site, again, they are misrepresenting their compliance controls to the user!
Cases such as these are being picked up and targeted by enforcement agencies such as the Federal Trade Commission under consumer protection laws like Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices”. It is critical for organizations to do what they say when it comes to privacy.
Consideration: Wiretapping Risk
A number of states have laws related to “wiretapping” and/or the recording of communications. Many of these, such as the California Invasion of Privacy Act (CIPA), include private rights of action whereby individuals can bring an action against an organization. In recent years, private litigators have begun filing legal actions against companies related to their collection of user behavior information via advertising platforms on websites without consent and/or proper disclosure. While these actions can be relatively small in dollar terms, they represent a significant legal burden for organizations due to legal costs and the high number of actions brought. It is a good idea for organizations to review their usage and collection of data via advertising platforms to understand potential risks related to these wiretapping laws.
European Privacy Laws
As it relates to privacy compliance requirements for European users and organizations operating in the European Union related to advertising platforms, we are mostly concerned with the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD). GDPR imposes a number of obligations on controllers (the website where advertising platforms are collecting information) as well as grants basic rights to consumers. On the other hand, ePD requires country-specific laws that protect users from the incursion upon their private sphere when operating in a digital context (accessing their devices). The usage of advertising platforms on a website introduces privacy compliance risks due to both of these laws.
Consideration: Privacy Rights of Users
GDPR guarantees rights for users related to notice and disclosure, access to personal information, user choice, rectification of inaccuracies, and data deletion, among others. As advertising platforms collecting data on a site will always be processing personal data, all of these rights must be ensured by an organization connected with their use of advertising technologies.
Consideration: Consent
Consent obligations for organizations using advertising technologies on websites focused on European users come from both GDPR and ePD. GDPR requires a lawful basis for the processing (including collection) of personal data. In the case of processing for advertising, the lawful basis is more often than not consent. In addition to this need to obtain consent to collect personal data via advertising platforms, ePD also requires consent for the accessing of a user’s terminal device (i.e. their computer / browser). Clarification and guidance released in October 2024 by the European Data Protection Board explicitly states that consent is necessary for the execution of third-party tags (pixels) on a website.
Taken together, this requires websites to obtain explicit consent from users prior to executing advertising platform tags/pixels and collecting data from users on websites. Failure to adhere to these requirements introduces significant compliance risks due to the volume of users on a website as well as the relative ease in identifying such infractions.
Implicit and Explicit Privacy Compliance Risk
From the above review, it is clear that the usage of advertising platforms on a website introduces privacy compliance risks for an organization. It is helpful to think about these risks in two categories: implicit and explicit risk.
Implicit risk is that which is inherent to the usage of the technologies. Personal information and personal data is being collected and processed for targeted advertising purposes. This requires various compliance considerations such as notice, risk assessment, and user choice. In addition to these compliance considerations, privacy platforms implemented via client-side tags and pixels also carry implicit risk due to the fact that they are third-party javascript that the organization has limited control over. A platform, technically, can modify the script and thus the data being collected as well as what they are doing with that data once they have it.
Often, the implicit risks that come with the usage of advertising technologies are worth it for the organization—so long as those risks are reviewed, understood, and proper policy and process is in place. After all, organizations are in business to make money. Effective advertising is a significant driver of those returns, and advertising platforms to collect information about user behavior is critical to optimize those efforts. Where issues really arise are with explicit risks.
Explicit risks are failures in the privacy program related to advertising platforms. These are introduced when the consent architecture is not properly configured to respect user choice or when advertising technologies are not properly reviewed to understand data processing and thus consumer rights are not adequately respected. It is critical to understand what advertising platforms are loading on your websites to ensure possible risks are mitigated and the processing behaviors match your understanding.
Mitigating Compliance Risks of Advertising Platforms
Clearly there is business value in using advertising platforms to be able to measure media effectiveness, understand consumer behavior, and personalize advertising to consenting audiences. At the same time, there is clear privacy compliance risk. The key is to mitigate these risks as much as possible, such as to optimize business value while controlling for compliance risk. We recommend organizations address risk mitigation related to advertising platforms in a few ways:
- Always understand what platforms are collecting data on your website.
This first step sounds easy, “of course I know all the advertising platforms collecting data on my site!” All too often (in more than 80 percent of our experience with clients) there are legacy platforms still loaded somewhere on a site, platforms loading in other platforms (“piggybacking’), or tools that just made it through the cracks. Automated scanning technologies like Tag Inspector can provide a holistic view of the technologies loading to form a foundation for further compliance review.
- Properly audit and evaluate what data is being collected and for what purpose it is used.
As covered earlier with the GA example, many technologies have multiple configuration options which can tip them into the “advertising” category. It is not enough just to know that a particular platform is loading. What data is being collected? How is the platform being used? Is that data being exported and pulled into any other processes for other purposes? Start with the list of platforms loading and then dive deeper into the what and why to ensure all compliance considerations are being made.
- Architect the user consent architecture to properly respect user privacy preferences.
It is not enough to simply implement a Consent Management Platform (CMP) on a website! CMPs do a wonderful job of managing the consent experience for a user and recording records of consent/opt-out. But they do little to control the actual loading behavior of the advertising tags/pixels responsible for data collection and processing. Advertising tags must be configured to respect consent signals as indicated by the CMP. Advertising tags must also be properly classified and categorized to align with the consent categories as presented and selected by the user. Further optimizations can also be made in some contexts, like the United States, to more granularly configure tags to operate in restricted data processing modes such that data is still collected for reporting but is blocked from being processed for targeted advertising.
- Audit and monitor the behavior of advertising platforms and the consent architecture to identify and remediate issues.
The only way to identify and address explicit risks before a private litigator or enforcement agency does is to regularly audit and monitor. For advertising platforms on a website, this means automated scanning processes to identify any unauthorized platforms and any issues in the consent architecture with a tool such as Tag Inspector.
Advertising platforms on websites are absolutely necessary for most organizations. There is a definite business need to optimize advertising efforts. Consider the compliance implications of the usage of these technologies to respect the privacy rights of your consumers and earn user trust.
