Hello! My name is Rick Bell and I am a senior data governance consultant at InfoTrust. I have noticed a new world for digital marketers in the United States, one that is starting to look a little more like Europe. I have been asked quite a lot recently from organizations that do business solely in the United States, “where do I start to be compliant?”
We have already seen the first enforcement action of the California CCPA, and later in 2023 new state laws will be going into effect: Utah, Connecticut, Virginia, and Colorado will all have regulations. A few other states have laws in committee. The privacy web in the United States is getting serious and fast.
While these laws have different nuances and requirements, the common thread is a user’s right to opt-out of behavioral advertising and cross-domain targeting. Yes, that means traditional digital marketing tactics are now being governed with enforcement teeth behind them.
If you operate solely in the United States, you may have not worried about digital privacy as it is related to advertising technologies previously—but you need to be now!
So what are the steps required that I have seen effective in other organizations who have successfully transitioned to a complaint mindset? What is best-in-class?
Get the right team together! Privacy Avengers assemble!
A cross-functional governance team is required to analyze your current adtech. I recommend somebody representing digital marketing/analytics, legal/data privacy officer, and IT/security. This team must be given internal authority to effect change. There’s no point in doing the analysis if no power is given to remove platforms or approve new platforms.
Audit Your Tech Stack
What do you have in place now? What platforms may be in scope for these regulations? How are they going to be controlled for users in all these states?
The team first needs to start with an audit if one has not already been completed. How can you know what actions to take if you have not documented what is in use now? The team at InfoTrust and Tag Inspector can help you through this process. Between our in-house award-winning technology and teams of experts, we can surface all of the data you collect to inform the audit and start making decisions!
The important end result is documentation of who internally uses what platform, what data it collects, if it’s in regulatory scope, and are the appropriate contracts in place with the technology vendor.
Create a Process
Create a formalized tag intake process—typically it is managed by a ticketing system in which a marketer would request a platform to be added to any digital property. This process would kick off further scrutiny if it’s a new platform, engaging the governance team for review. If it’s a currently-approved platform, begin the process of testing and deployment with the tag management team. Best-in-class tag governance would not allow a single tag to be added to a website without previous approval by the governance team.
The process avoids another lengthy audit in the future—so spend time on a process now and save time in the future.
Constantly Monitor for Compliance
Invest in a monitoring system—choose a way to constantly monitor and test the tagging platforms loading across the organization. The ideal system will monitor if tagging platforms are loading correctly for users based on consent and in light of regional privacy requirements. Select some form of alerting if an unapproved tag finds its way onto the website, or loads a tag not contractually agreed upon by the organization. Ensure whatever you choose detects and reports on any PII collected by tags for review and to detect “leaks.” (Tag Inspector meets all these requirements, but some system would be needed to ensure the organization is always in compliance, and that unused/non-compliant platforms are corrected for users.)
So now that you know the steps, it’s time to roll up your sleeves! Let us know if we can help you with your journey in this new privacy-focused United States!