When it comes to privacy compliance risk on a website, often the most dangerous risks are the “unknown unknowns”—instances where risk is present but the organization simply has no idea that the activity is happening. Understanding exactly what data is being collected from website visitors and where it is being sent is not an easy process. Most organizations rely upon privacy and security questionnaires being filled out by vendors either in the procurement or risk assessment process. In the world of advertising technology, however, so much sharing of consumer data is happening that it often is never reflected in these reviews. A primary source of risk that slips through these cracks is the sharing and selling of personal information to data brokers.
According to the California Privacy Protection Agency, a data broker is “a business that consumers don’t directly interact with, but that buys and sells information about consumers from other businesses.” The digital advertising ecosystem is rife with data brokers. These platforms are used to create and enrich audiences for targeted advertising. By aggregating behavioral and profile data for individuals and then associating those profiles with unique digital identifiers such as cookies and persistent IDs, data brokers are able to provide an advertiser (and their partner platforms) with improved targeting and thus the potential for improved media effectiveness.
This practice, and usage of data broker platforms, is not on its face malicious or bad. It helps to realize value for an organization and can be justified with legitimate business use cases. The challenge for compliance professionals comes due to the opaque ways in which data brokers are often used and technically function. Often, the advertiser (website operator) is not working directly with data brokers in question. Rather, these platforms are used either via advertising technology directly contracted and/or by media agencies that the organization partners with. To compound matters, the data broker platforms themselves often load on a site via piggybacking, or injection by other technologies that are directly deployed. You can see an example of this below.
So why is this a risk?
Data brokers collecting data on a website present an inherent risk due to the purpose for their processing of data. The purpose of a data broker is to facilitate targeted advertising, often with direct implications for the sale and share of consumer data by an organization. Put simply, if a data broker is loading on the website and collecting consumer data, then processing for targeted advertising and the sale/share of data is happening. Compliance considerations must be taken to ensure this behavior is accounted for in consumer notices, consent and opt-out architectures, data subject requests, and risk assessments. In all too many cases, organizations are simply unaware of the presence of these platforms leading to these considerations not being taken.
Enforcement agencies across the globe are increasingly taking notice. The past year has seen increased enforcement activity against the practices of data brokers and the ways in which data from these platforms is being used to target consumers. Several states in the United States have also introduced unique data broker laws requiring these platforms to register and implement added protections for the data they process. California even included in their law a requirement for a universal deletion mechanism whereby a consumer can request the deletion of their data and all registered data brokers will have to delete any records associated with the individual. This mechanism is to be in place by 2026.
So, what should advertisers do about data broker risk?
It starts with understanding if your organization is disclosing any consumer data to a registered data broker. The best place to begin is with a Compliance Risk Assessment from Tag Inspector which will scan all the pages of your website to identify the presence of any data brokers on the California Privacy Protection Agency registry. From there, it is important to go to advertising teams and agency partners to understand why and how these platforms are being used in their media strategies. As mentioned before, there could very well be legitimate business needs for using these platforms. If this is the case, then take the compliance considerations necessary into account to ensure the disclosure of personal information to these platforms adheres to the organization’s privacy policy and is respectful of consumer rights and expectations.
