As data regulation rapidly expands, compliance requires communication, diligence, and constant auditing for today’s opaque digital environments.
This is part 3 in a 4-part series. Read part 1, “Beating Back Bad Actors“, and part 2, “Evicting Exfiltrators.”
Can you imagine driving in a world without laws? No speed limits, no stop signs, no traffic cops on the lookout out for unsafe behavior. There would be constant mayhem with nonstop hit and runs. Without regulations around seat belts and other safety measures, driving fatalities could be astronomic. Getting behind the wheel would be infinitely more dangerous than it is today.
It’s actually not that hard to imagine—just watch one of the Mad Max movies (Fury Road rules!). And for a long time, the digital ecosystem truly resembled a Mad Max film—a lawless wasteland where the next website you visited could bring untold peril. However, better late than never, regulation is coursing through the digital landscape—particularly when it comes to the collection and use of consumer data.
Well known in the US are the Children Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA), which regulate data processing and use involving minors and personal health, respectively. But the 2018 activation of the General Data Protection Regulation in the European Union signaled a new era in digital regulation, with governments becoming increasingly vigilant about consumer data practices at organizations large and small. In GDPR’s wake arrived the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), with additional regulations appearing regularly.
Every company with consumer-facing digital properties must comply with these “rules of the road,” and they have widely varying requirements. Operating digital assets without a comprehensive regulatory strategy—and the tools to ensure compliance—is like driving without a license. Eventually Johnny Law is going to catch up with you and the penalties will be severe—just ask some of the recipients of GDPR fines.
When regulators knock on the door, “Oh, I didn’t know Vendor X was doing THAT!” will not be a good defense.
Know Thy Regulations
While digital was virtually regulation-free for years, governments are quickly making up for lost time. Data protection laws are popping up around the world—and in the US, state by state as an overarching federal framework seems far off. Many of these laws are built to be flexible and morph with time and changing circumstances/technology. For example, GDPR rulings from country-specific Digital Protection Authorities are constantly shifting compliance requirements.
A portion of your legal team must be dedicated to data protection and other digital laws; this function could potentially be outsourced to specialists. Either way, this group must keep Security, IT, and Marketing up to date with the latest privacy developments by country and how it will affect their operations.
That’s a lot to keep track of—and these groups need guidance and action steps rather than just information. Never forget how central efficient knowledge transfer is to staying clear of regulatory hurdles.
What Data Are We Grabbing Again?
Most organizations collect consumer data on their digital properties for a variety of reasons—marketing, customer service, product feedback and development, etc. They tend to employ vendors leveraging cookies, beacons, JavaScript, and even fingerprinting tools. The problem is lack of communication between departments about who is collecting which data for what purposes. Oh, and worse—keeping the Security team out of the loop when vendor third-party code used to collect consumer data could open vulnerabilities for malicious activity or data leakage.
You need a centralized spot for keeping track of what vendors you’re currently using, what data they’re collecting, and why. You also need to keep up to date regarding vendors you’re no longer working with to ensure that their code has been off-boarded. Canceled vendors with code could potentially siphon your data off to competitors—or rope you into regulatory violations.
If all relevant teams–Security, IT, Marketing—have access to a centralized database of data collection activities, you can avoid nasty surprises: You let WHAT company on our homepage?!?
Eyes on the Code
Beyond keeping records, you need to monitor your vendors’ presence on-property to ensure they’re collecting exactly what has been agreed upon. Using client-side analysis of properties with consented and non-consented profiles, you can see exactly what your partners are executing in a variety of situations.
Monitoring is also essential because in executing, vendors often contact other vendors—and sometimes bring them on your properties. You don’t just need to worry about third-party code—you need to be thinking about 4th parties, 5th parties, etc. to infinity. If one of these nth-party vendors violates data regulations while on your property, you are likely liable.
Constant monitoring will enable you to nip such situations in the bud, while also blessing you with an audit trail that you can use to show an effort to comply—which is highly important for GDPR. Analyzing your properties in a sandboxed or virtual environment won’t always bring nth-party connections to life—your scanning needs to accurately recreate the experience of an actual consumer, which client-side analysis is capable of.
When regulators knock on the door, “Oh, I didn’t know Vendor X was doing THAT!” will not be a good defense.
If all relevant teams–Security, IT, Marketing—have access to a centralized database of data collection activities, you can avoid nasty surprises: You let WHAT company on our homepage?!?
Verify Your CMP
A consent management platform (CMP) is a straightforward solution for collecting consumer privacy choices. Some organizations have the means to build these in-house, but most opt for third-party solutions.
But don’t think for a minute that CMPs are full-baked privacy and regulatory compliance solutions. Truth be told, these platforms are really only glorified databases—their compliance offerings are limited at best. They cannot tell you whether third-parties—the vendors you work with and those nth parties we mentioned above—are actually respecting the consent single. Client-side property scanning with consented, non-consented, and no-choice profiles can illuminate this. Regular audits are essential for keeping your vendors in line and staying clear of regulatory challenges.
Keeping records of consumer consent choices is extremely important—but you also have to ensure that those choices are being respected… lest regulators discover they aren’t.
If all relevant teams–Security, IT, Marketing—have access to a centralized database of data collection activities, you can avoid nasty surprises: You let WHAT company on our homepage?!?
Don’t Be Overwhelmed
If you drive, do you remember taking the test to get your learner’s permit? You were probably stressed out trying to remember all the road signs, special traffic rules, and other proper driving practices—you might have sweat through your shirt taking the test.
Unfortunately, comprehending data and regulatory compliance might give you flashbacks to getting your learner’s. There are many different laws in various countries (and states!) with wildly varying compliance requirements.
But don’t panic! With:
- continuous flow of actionable information from your legal team;
- a living record of vendor relationships and data collection;
- constant monitoring of vendor activity; and
- regular CMP audits;
you’ll find compliance is not as overwhelming as it may seem.
Read part 1, “Beating Back Bad Actors“, and part 2, “Evicting Exfiltrators.”