Privacy-Centric Growth: How to Mature Your Privacy Program

Privacy-Centric Growth: How to Mature Your Privacy Program
Estimated Reading Time: 26 minutes

It’s fairly safe to say that 2024 was the year of “cookieless” solutions. And may we hope this over-used term is finally dropped in the new year! As advertisers geared up for Google Chrome’s plans to finally sunset support for third-party cookies by year-end, (psych—good joke, Google!) the advertising technology space churned out countless “cookieless” alternatives promising to maintain user tracking and targeting. In parallel, marketers and advertisers were slowly being reminded of the utility of first-party data collected directly from their consumers. With this confluence of factors, 2025 is shaping up to be the year in which new applications for all of this newly collected and repatriated first-party data come to the fore

The current state—increased volumes of consumer data integrated together and new technologies available for extracting value from it—introduces an increased need for adequate privacy controls. For this, organizations need a sound and mature privacy program to ensure the privacy rights of consumers are respected while using first-party data to meet the needs of the business. 

According to the IAPP, privacy program management is the structured approach to combining several projects into a framework and lifecycle to protect personal information and the rights of individuals. The components of the privacy program that are most involved when using consumer data for marketing and advertising are cookie/tag consent management, consent management, data subject requests, and privacy risk reviews for new vendors and activities. All components of a privacy program should be assessed for their maturity level and optimized according to business needs. 

The IAPP outlines five standard levels of maturity for auditing and monitoring privacy program performance:

  1. Ad-hoc – When a component of the program is informal, incomplete, and inconsistent.
  2. Repeatable – When a component of the program has procedures but they are not documented, nor are they holistic.
  3. Defined – When a component of the program has a documented process which is implemented and covers all relevant aspects. 
  4. Managed – When a component of the program is defined and has regular reviews which are conducted to assess the effectiveness of implemented procedures. 
  5. Optimized – When a component of the program is managed and review and feedback loops are in place to further improve. 

Let’s evaluate each of the privacy program components most impactful for marketing and advertising use cases to see how your organization can assign current maturity levels and develop a strategy for improvement. 

Tag/Cookie Consent Management

Tag and cookie consent management is the process of managing the execution of tags (or pixels) as well as the placement of cookies by those tags on a website. For most websites, they will use a Consent Management Platform (CMP) to manage the consent experience for a user and to raise technical signals indicating the user’s consent preference selections. From there, tags must be configured to either load/not load according to the consent selection or to load in a way in which limited data is collected and/or limited (or no) cookies are set on the user’s browser.

Ad-Hoc

An ad-hoc process for tag/cookie consent management is really the absence of any process or system for managing user consent on a website. Either the website does not have a CMP in place to provide users a consent choice or a CMP is in place but tags are not configured to listen for consent signals from the CMP and are thus loading in an unlawful manner. 

If this is your organization, invest in a CMP and configure all tags to respect the consent preferences of users. 

Repeatable

Organizations with a repeatable process are those that have a CMP in place—and most or all tags are configured to respect the user’s consent choices, but there is no documented tag/cookie consent policy defined. In this scenario either the IT team or partners that are implementing tags will just take a request for implementation and configure the tag requested in whatever consent category or condition they think would be applicable. No standards or documentation have been created to govern this process. 

If this is your organization, it is critical to document a tag/cookie consent policy for your organization. All new platforms must be reviewed prior to implementation to understand the nature of the data being collected and the purposes for its use. Following review, the tags should be categorized for consent and added to a defined tag consent policy. The consent policy should be a living document for all approved platforms with a set re-review date for each platform (recommended to be 12 months from the date of approval). All implementations of new instances of tags should have controls to ensure the platform is included in the documented approved tag consent policy along with the standards for how the tag should behave across each consent choice available to the user.  

Defined

Organizations with a defined process are those that have a CMP in place, all tags are configured to respect users’ consent choices, and with a documented tag/cookie consent policy in place. Processes are also established for implementation requirements for consent for all approved platforms. 

If this is your organization, it is time to take the review process to the next level with regular reviews of implemented platforms as well as ongoing technical audits to ensure your live website environment is in compliance with your defined tag/cookie consent policy. Regular platform reviews should be conducted at a consistent cadence, recommended for 12 months. These platform reviews should be an analysis of any changes to the data being collected, cookies being set, and internal uses of the data—both by the platform directly as well as any downstream processing activities. Standards and approvals should be updated based upon these regular reviews along with the documentation. 

Ongoing technical audits, such as those offered by Tag Inspector, should be conducted on a recommended monthly basis to validate that live behavior of tags on the website is in compliance with the defined tag/cookie consent policy. Any identified unauthorized activity should be reviewed and remediated as soon as possible to mitigate privacy compliance risks.

Managed

A managed process is one with a CMP in place, all tags configured to respect users’ consent choices, a documented tag/cookie consent policy established, as well as processes implemented for regular platform risk reviews and ongoing technical tag/cookie consent monitoring. Defined processes are also established for how remediations of identified issues are addressed and how the technical tag architecture is modified according to any policy updates due to changes in tag behavior and/or business use of the data collected by each platform. 

A managed process is a pretty good one! At this level of maturity, known privacy compliance risks are mitigated with processes established to address any non-compliance issues according to the defined tag/cookie consent policy. To take this to the final “optimized” level, an additional element of regular proactive reviews of the changing regulatory environment should be conducted to see if any new or modified compliance considerations should be accounted for in the policy and current technical architecture. Regular reviews of the processes, recommended on an annual or bi-annual cadence, should also be conducted to identify where efficiencies can be realized in the platform risk review process, tag and cookie policy update process, as well as remediation workflow processes for addressing any identified privacy compliance risks. 

Optimized

An optimized process is one with a CMP in place, all tags configured to respect users’ consent choices, a documented tag/cookie consent policy established, processes implemented for regular platform risk reviews as well as ongoing technical tag/cookie consent monitoring, proactive monitoring in place of the regulatory environment to identify any emerging privacy risks, as well as processes established for regular reviews of all implemented workflows to identify gaps and opportunities for efficiency.

Consent Management

Consent management is the process for managing consent for data provided directly by users via forms and registrations on a website. It differs from tag and cookie consent in that this data is provided directly by users via an active process and often will include Personally Identifiable Information (PII) that can directly identify an individual, such as an e-mail address. Consent management will also often include the user’s preference selection for marketing communications such as e-mails from the organization. 

Ad-Hoc

An ad-hoc process for consent management is largely the absence of any process. Either no consent options are available to the user when submitting a form or, where consent is available, no standards are used across forms on the site.

If this is your website, it is critical to provide user choice for marketing communications as well as an explicit indication for the user to attest to their acceptance of your privacy policy and terms and conditions. In the absence of these, there is not a lawful basis in any jurisdiction to process the data being collected.

Repeatable

A repeatable process for consent management is one where consent options are available in all forms on the website. Consent options include both an indication that the user accepts the terms of the website and the privacy policies of the organization as well as consents to any additional use of the data for marketing or personalization use cases. Considerations should be taken based upon local legal requirements for opt-in vs opt-out consent to marketing communications as well as requirements for any additional downstream processing that could involve the data provided. 

The challenge at this level of maturity is that, while consent options are available and recorded, organizations lack a centralized process and repository for user consent preferences. Often, many systems, including a Customer Relationship Management tool and a marketing communications platform, are involved. Consent indications live in each platform depending on the form or customer experience.

To reach the next level of maturity, organizations should centralize records of consent collected from any form or workflow involving consumer provided data as well as define and implement technical and operational controls to ensure the data is only used for purposes consented to by the user. 

Defined

A defined consent management process is one where compliant consent options are available to the user, records of consent preferences are centralized and synced across platforms containing user data, and technical and operational controls are in place to ensure that data is only available for authorized use cases aligned with each user’s consent. 

To mature to a managed level of maturity, organizations should implement processes for auditing and testing the technical and operational controls in place. In addition, processes should be established for regular reviews of all sources of user provided data to be proactive in identifying new methods of user data collection to ensure they are addressed by current controls in place. 

Managed

A managed consent management process is one with standard compliant consent options universally available to the user, records of consent centralized and synced, technical and optional controls in place to limit processing only to that which has been consented to, and monitoring and auditing processes in place for review of controls as well as new data collection sources. 

For an organization to reach the optimized maturity level, systems and processes used for collection of consent, managing records of consent, and controls for processing should be regularly reviewed and optimized for efficiency on an ongoing basis. It is recommended for this review and optimization process to happen at least on an annual cadence. User provided data is one of the most valuable data assets for an organization and also carries significant potential privacy compliance risk. Optimizations of process are critical to ensure business success.  

Optimized

An optimized consent management process has standard compliant consent options universally available to the user, records of consent centralized and synced, technical and optional controls in place to limit processing only to that which has been consented to, monitoring and auditing processes in place for review of controls as well as new data collection sources, and a regular review process implemented for optimizations and efficiencies in all of the above. 

New Vendor Privacy Risk Reviews

New vendor privacy risk reviews are exactly what the name implies—reviews of new vendors to determine and document privacy risks for users. Depending upon the jurisdiction in which your organization operates, the technical details required in risk reviews will vary. For example, many U.S. State comprehensive privacy laws require data privacy impact assessments for what they define as “high-risk activities” including targeted advertising. In Europe, GDPR similarly requires formal privacy impact assessments for high-risk activities as well as records of processing activities for all processing involving personal data of users. Regardless of the jurisdiction and technical requirements for what should be included, all organizations should be conducting privacy risk reviews for any new vendor platform to be implemented on a website to understand the nature of data collected, how it will be used, and then evaluate risks and controls available to mitigate those risks. 

Ad-Hoc

An ad-hoc process for new vendor risk reviews is a process where an organization only reviews some platforms, often after implementation, once a privacy compliance issue is identified. There is no defined process or standard methods in place to collect information about platforms relevant for compliance considerations nor is a process embedded in the procurement process or tag implementation process to ensure risk reviews are completed. 

If this is your organization, it is very important to define and implement a process to review all new vendor platforms for privacy compliance risk. The process should be embedded within current business processes where possible and should require vendors as well as internal teams that will be responsible for the platform to fill in technical details about data collected as well as business context details about how the data will be used. Many organizations will include the risk review process as part of their procurement processes since the weighing of privacy risk against business value is an important part of remaining compliant. In addition, any updates to other privacy program components such as user notices, data maps, records of processing activities, and consent processes may need to be updated to accommodate the usage of the new vendor. 

Repeatable

A repeatable new vendor privacy risk review process is one where a process is in place to review some aspects of privacy compliance risk but it is not fully comprehensive for all privacy compliance obligations. This is the stage most organizations are in. For most organizations, there is a security review process as well as contract reviews which are completed for any new technology vendor within the procurement and new platform onboarding processes of the organization. 

While these two processes are important parts of privacy risk reviews, they do not fully address all areas necessary for a privacy program. Formal updates for data mapping and records of processing must be made as well as privacy considerations such as classifying data collected and used if it is anonymous, personal, or sensitive, and controls in place for privacy processes must be accounted for. 

To move to a defined maturity stage, an organization must formalize processes for reviewing platforms by implementing review standards aligned with legal requirements. In addition, the findings of privacy risk reviews must map directly to privacy compliance actions necessary based upon the results. Formal methods to identify updates necessary for the privacy notice, consent controls, as well as operational and technical controls to mitigate potential privacy risks must be defined and implemented. 

Defined

A defined new vendor privacy risk review process has privacy risk reviews formalized according to applicable legal requirements, risk reviews embedded within business processes for procurement and new vendor onboarding, and findings from risk reviews automatically triggering additional processes for updating necessary privacy controls in the organization. 

What a defined process lacks is an implemented way to track the health and effectiveness of the new vendor privacy risk review process. A system should be set up to measure the volume and pace of risk reviews, the outcomes, as well as the efficiency of privacy control updates being made following the review process. Implementing this tracking system will allow the process to mature to the managed level. 

Managed

A managed new vendor privacy risk review process has privacy risk reviews formalized according to applicable legal requirements, risk reviews embedded within business processes for procurement and new vendor onboarding, findings from risk reviews automatically triggering additional processes for updating necessary privacy controls in the organization, and a system in place to monitor the effectiveness and efficiency of the process. 

Without effective monitoring of the process, it is impossible to identify areas of improvement. Far too often implemented processes are side-stepped due to being overly cumbersome and inefficient for business stakeholders. It is important to track the effectiveness and optimize to make it easy for people involved in the process to complete the necessary tasks. 

Optimized

An optimized process contains all of the elements of a managed process with success metrics regularly reviewed. Regular reviews should lead to optimization activities to ensure privacy compliance while also optimizing business processes. 

New Activity Privacy Risk Reviews

Just as new vendors should be reviewed for potential privacy risks and methods necessary to mitigate those risks, so too should new activities that involve the processing of personal data. Again, these risk reviews are often required by global privacy laws. Any new activity, which will involve the use of personal data should be evaluated for the amount of risk it presents to consumers, what controls are in place to mitigate those risks, and if the new processing activity will result in additional privacy compliance considerations that must be addressed. 

Ad-Hoc

An ad-hoc new activity privacy risk review process is one that happens infrequently, not for all new activities involving personal data, and is often incomplete in addressing all necessary compliance requirements. 

For many organizations, they just do not know their obligations regarding privacy risk evaluation. “The data is there, we have a new business use case that we want to try out, let’s do it!” This is an especially pronounced problem with the large volume of new technology available for advanced analysis and artificial intelligence. In the race to be on the cutting edge, it is extremely important to keep the privacy rights of users and the privacy obligations of the organization in view.

To mature out of the ad-hoc state, for any new use case for which you are using personal data, implement a process to review the privacy risks involved and compliance controls that need to be considered. Start by identifying exactly what data is going to be involved and what is the intended result of the processing. Also consider if the activity is aligned with the purposes for which the data was initially collected and agreed to by the user. Various laws across the globe have formal requirements for assessments to evaluate the privacy risk threshold for activities as well as requirements for more formal reviews if an activity is likely to present a high-risk to the privacy rights of consumers. Consult these requirements for your organization and use them as a guide to implement a standard process. 

Repeatable

At the repeatable stage of a new activity privacy risk review process, organizations will have a standard method implemented for reviewing new processing activities as well as regularly execute the standard process for new large strategic initiatives. What many organizations are missing at this stage is an initial process to apply for any and all new activities to assign potential privacy risk as well as documented standards for what must be considered at varying levels of risk identified. 

To mature into the defined stage for this process, organizations should document and define a standard process to evaluate the level of privacy risk present for all new activities. First, identify if the activity involves the processing of anonymous, personal, or sensitive information as well as the intended outcome of the processing. Next, evaluate if the data involved was originally collected for a purpose which aligns with the purpose of the new activity. From there, assign a risk level to the activity and then execute standard risk assessment processes according to likely risk. All of this should be documented and embedded across the organization. 

Defined

A defined new activity privacy risk review process means organizations will have a standard process to evaluate potential privacy risk of a new activity, assign each a privacy risk level, and execute full evaluations based upon risk. 

To mature into the managed maturity level, all of these processes should be documented with target metrics for success defined and tracked. In addition, outcomes from the new activity risk review process should be mapped to the processes for related compliance considerations that will be necessary. For example, if a new business activity involving the processing of personal data requires an update to the privacy notice so that consumers are properly informed of the planned activity or if consent language must be updated to provide sufficient levels of consent for the new activity. At the managed level, all of this is documented and standardized to improve efficiency in execution. 

Managed

A defined new activity privacy risk review process means organizations will have a standard process to evaluate potential privacy risk of a new activity, assign each a privacy risk level, execute full evaluations based upon risk, and have a process by which privacy compliance considerations are automatically triggered to accommodate the new processing activity. All of these processes are also measured for efficiency and effectiveness. 

Just as with the new vendor privacy risk review process, you can not optimize that which you do not measure. Defining metrics to identify the volume and pace of privacy risk reviews conducted allows for the evaluation of each phase of the process and for optimizations to be implemented at defined time intervals. 

Optimized

At the optimized level of maturity, all processes are implemented, measured, and reviewed for optimization opportunities on a regular cadence. The pace of these reviews and optimizations will depend upon the nature of your organization and the level of risk involved with your processing activities. 

Data Subject Requests

Data subject requests (DSRs) can take a few different forms: requests for information, requests for access, and/or requests for deletion. Global privacy laws grant consumers the right to submit such requests so that they can have greater control over how their personal information is being used. For some organizations, these requests can number in the thousands each year. It is important to have efficient processes to handle such requests not just for compliance but also to best handle organizational resources necessary to respond. 

Ad-Hoc

Organizations with an ad-hoc process for handling data subject requests (DSRs) do not have a defined process in place nor a central intake method for requests to be made. Often requests are made via general contact forms on a website or submissions via an e-mail provided in a privacy notice to users. Upon the receipt of a request, it is an ad-hoc process to contact the team likely responsible for the platform where the data is housed and then an unorganized scramble to find the information necessary. 

Handling DSRs in an ad-hoc manner is a large compliance risk due to challenges in meeting response time requirements in global laws as well as the operational burden involved. There is unnecessary time and cost incurred by the business as a result of an inefficient and nonexistent process. 

If this is your organization, you need to implement a standard process both for receiving DSRs as well as to coordinate the response. 

Repeatable

A repeatable process for handling DSRs is one in which there is a standard process in place but that process is only informally defined and is often handled via inefficient e-mail communications between responsible parties. At this stage, organizations are often able to adequately respond to and manage requests but it is a very inefficient process with no tracking in place (which is often required by law). 

To mature to the defined stage for a DSR process, you should start by implementing a centralized and standard intake process for requests. Many organizations will manage this via a privacy platform. Using a packaged platform, it is possible to create and use standardized forms on the website for all requests from data subjects. These systems also support the automation of identity and response verification. Simply implementing the centralized intake and automated systems for response verification can often reduce the operational overhead by more than 70 percent. 

From there, it is important to define processes for exactly how to handle each type of request type. These processes should be closely tied to data maps and records of processing activities to be able to identify the systems where personal data is stored and processed and thus to inform where and how to access necessary data for the request. All of these processes should be defined and standardized to improve efficiency in the process. 

Defined

A defined DSR process is one in which a centralized intake system is established, verification for requests is automated, processes for handling each request type is documented and in place, and all in-scope systems which house personal data are mapped to ease access and deletion processes. 

Once all processes are defined and implemented, it is now possible to work on automation of the execution of various types of requests. For example, at the defined stage, a full map of the systems where personal data is stored as well as processes likely to be impacted by deletion is known. With this information, an organization can begin creating automated processes to delete data associated with the requesting user from all systems in which the data resides. In addition, systems can be set up to track and monitor the number of requests, number of verified requests, time to execute the request, and time to respond to the requestor. For organizations processing large volumes of personal data and/or processing for a high-risk purpose, much of these reporting metrics are legally required. 

Managed

At the managed level of maturity for DSRs, a centralized intake system is established, verification for requests is automated, processes for handling each request type is documented and in place, all in-scope systems which house personal data are mapped to ease access and deletion processes, automation is established where possible for request execution, and systems are in place to monitor the efficiency and effectiveness of the process. 

At this stage, metrics measuring the effectiveness of the processes are regularly reviewed with often annual initiatives to improve areas of inefficiency. Regular, ongoing monitoring and optimization is what will move an organization to the final level of maturity. 

Optimized

An optimized DSR process is one in which most aspects are automated and regularly updated for any new system which is introduced involving the processing of personal data. At this stage the effectiveness of each component is regularly tracked and optimization activities happen on a regular defined cadence. 

As any organization can attest, there are many competing priorities for resources at any given time. While the privacy program is increasingly being viewed as a business enabler due to both compliance obligations as well as the importance of consumer trust, it is also clear that establishing and maturing in each of these areas can be a lot of work. For this reason, it’s important to set the privacy strategy for your organization at the outset. Different organizations will prioritize different aspects of the privacy program, targeting different maturity levels in each accordingly. And this is ok! Goals for process maturation should be set according to each organization’s stance on privacy and risk tolerance. For many of the processes reviewed, which intersect with marketing and advertising activities, it is often important to achieve at least a “defined” level of maturity. Consumer trust is a critical precursor to consumer loyalty and the ability to collect and use valuable first-party data from your users. 

As the appetite for business use cases involving first-party consumer data continues to grow, and new technologies become increasingly available to extract value from that data, take a long hard look at the privacy processes involved. A defined and managed privacy program can make all the difference in mitigating privacy compliance risk while enabling optimal business outcomes.

Interested in improving the privacy maturity of your organization?

Contact us today to start a conversation about how you can take the next step.
Originally Published On December 12, 2024
December 12, 2024