For most organizations, the number one point of contact with consumers is their website. More consumer behaviors are observed, more personal information is collected, and more data is shared with third-party partners from a consumer-facing website than any other business asset. 

And how many third-party partners there are! 

Recent scanning with Tag Inspector of the top 500 U.S. advertisers by 2023 media spend revealed that the average number of technology platforms loading and being sent data from those websites to be approximately 20. Some sites have more than 120! For these reasons, an organization’s website is a primary risk vector for privacy compliance. 

Not all tag and pixel behavior on a website is bad. On the contrary, it is critical to collect first-party data to understand how users are interacting with the site, measure media effectiveness, and deliver the personalized experience that consumers demand. All of these factors contribute to added business value. At the same time, it is also critical to understand potential compliance risks to take the proper considerations for users’ privacy. Privacy-centric marketing begins with respecting the privacy of users. 

When working with organizations, we often discuss both the implicit and the explicit risks associated with data collection and the usage of tracking technologies. Implicit risks are those inherent to the use of such technologies. Any collection and processing of personal data carries with it compliance obligations such as user choice, disclosure, risk assessments, handling of data subject requests, etc. There will always be risks that something goes wrong in one of these aspects of the privacy program and thus there is inherent risk associated with personal data collection and use. Explicit risks are those areas that go wrong. Gaps in the privacy program or gaps in process that result in violations of the privacy policy and thus violations in compliance obligations. 

When considering privacy compliance risks related to data collection on a website, we find it helpful to segment platforms based upon their functionalities. Doing so helps to understand the nature of inherent risks, helps guide decision making for the compliance considerations to make, and provides a structure to audit and monitor for any explicit risks that may be present. A helpful starting point for this segmentation is along four categories:

1. Advertising Platforms
2. Data Brokers
3. Wiretapping Platforms
4. Piggybacking Tags

Linked above for each risk category is a more in-depth explainer for the nature of each as well as compliance considerations to be aware of. Beginning with this segmentation and review of websites for platforms within each will provide a foundation from which to ensure the privacy rights of consumers are being respected in the collection and usage of personal data for marketing and advertising activities.