As the data landscape continues to change to better protect the consumer, the sharp teeth that many feared in recent privacy legislation are beginning to be used.
Just this week we saw record fines with Norway’s decision to fine the dating app Grindr 10% of their global revenue ($11.7 million USD) for data sharing with third-party advertising partners. Even overlooking this amount, fines for GDPR violations in January 2021 amount to almost 17 million Euros. The enforcement of a privacy-focused web is a necessity for your business.
While we are all familiar by now with GDPR, CCPA, ePrivacy, etc. – and hopefully have gone through steps to be compliant under their guidelines – it’s also important to implement and enforce privacy-focused processes within your organization. Without regular maintenance of your governance policies, you risk being the next organization facing regulatory fines and an erosion of consumer trust. Let’s explore 5 foundational actions you should take today to stay on top of your marketing and advertising data privacy requirements.
1. Maintain visibility into all sources of data collection on your digital properties
If you don’t know what data is being collected and by what platforms, you have no chance at having the technical nor organizational controls in place to ensure compliant data processing activities. Before you can create a plan or evaluate current effectiveness, you must have visibility into all sources of data collection.
The most obvious violation of privacy legislation, and often the most frequently enforced, are failures to disclose to your users what data you are collecting and how it is being used. With the proliferation of third-party advertising and marketing technologies in place, it’s no wonder. Oftentimes these technologies will piggyback, or load in, additional technologies that you may not even be aware of without proper auditing. This behavior can lead to the sharing of user identifiers across platforms and the targeting of users around the web.
In Europe, this type of data collection for targeting must be disclosed to users. All users must give explicit and informed consent to the practices for data collection to occur. In the above Grindr case, one of the Norwegian DPAs main findings was that users were not given proper disclosure nor consent choice to this sharing of their personal information. To ensure you aren’t the next organization being fined 10% of your global revenue, make sure you provide proper disclosures and proper user choice with respect to data sharing activities. This all starts with maintaining visibility into what platforms are collecting what data on your digital properties.
2. Define a list of approved platforms and collection behavior
Once you have full visibility into the platforms loading on your digital properties and what data is being collected, go through and define what practices are compliant (and approved) and what practices need to end. This exercise should start at the point of collection – what data is collected by what platforms – and extend all the way through the lifecycle of each data point. Is that data shared, if so with whom, is that data sold, if so with whom, etc. It is critical that you are able to disclose, give user choice, and be able to put in protections at each and every stage.
Once you define the list of approved platforms and data behavior, you have a foundational document that can be leveraged to inform compliance decisions – an Approved Platform Policy. It is also important to monitor against the defined Approved Platform Policy as technologies and your organization’s use of data is likely to change.
3. Regularly review your “Approved Platform” policy
When it comes to maintenance of your “Approved Platform Policy”, it is important to re-approve all platforms on a regular interval. This process should consist of a full evaluation of each approved platform every 12-18 months. This means auditing what data is collected, how it is used in your organization, if data is shared or sold, and how the data flows throughout your organization. This should also include a deep dive into the technology to ensure that no new data points are being collected nor new third-parties are being introduced as a result of using the vendor in question. Technology is constantly evolving with new features being added, bug fixes going out, etc. This thorough review ensures you are proactively vetting and evaluating all of your vendors to ensure continued compliance.
4. Ongoing policy monitoring of data collection behavior on your digital properties
Monitoring the adherence to the Approved Platform Policy helps you ensure that the organization is only working with approved vendors and is not introducing platforms to digital properties that have not been evaluated for privacy and compliance. The most common violations of defined policies happen when piggybacking, or daisy-chaining, begins happening on a website. In these cases, third-party vendors will begin injecting the code for other third-parties into your web pages to share cookie information and data from users. This represents a compliance risk if that behavior has not been evaluated, approved, and disclosed to users giving them the proper ability to consent. Regular monitoring with a platform like Tag Inspector gives you constant visibility into the platforms loading on your site and data collected to automate this policy monitoring process.
5. Map integrations and how data flows throughout the data ecosystem
Privacy requirements don’t end at the point of collection with disclosure and choice. Users’ rights with respect to their personal data apply throughout the entire data lifecycle. It is imperative to understand what data is processed by what platform, if it is shared or sold, where and how it is stored, and if additional technical safeguards are applied in the case of sensitive information. After all, how can you respond to a user’s data access request if you don’t know where the data goes and where it lives?
To address this, you must create a data map and walk all data through the entire lifecycle from collection to deletion. Identify the different platforms that are processing the data, who has access, as well as technical protections that are applied at each stage. All of this documentation will inform the roadmap for what privacy initiatives are critical for compliance as well as to inform all disclosures for users.
Privacy is the new normal. Users have increasing expectations of businesses to properly protect the information they are collecting from them. To thrive in this new environment, you must implement the processes necessary to not only create privacy programs but to maintain them. Start with these 5 processes as a foundation for your data governance program.