By Sarah Ralston, Director of Privacy and Risk Solutions
Reused code is great for development, efficiency, and even consistency across the internet. But when it comes to privacy, do developers actually know what their code is doing?
Studies estimate that 80% of the internet is reused code. Indeed, a substantial portion of the internet’s infrastructure relies upon pre-existing code. Plenty of websites use platforms like WordPress, thanks to its simple plugins and themes. JavaScript libraries like React and Angular make building web apps easier and more consistent, and AI coding agents are already proliferating reused code at a faster rate.
With open-source code libraries and frameworks, development gets streamlined and developers can collaborate more effectively. Buried somewhere in the inception of a code library used to build a new website is a hidden element silently sending data to a third party.
Compliance Complexities of Reused Code
Companies spend a lot of money annually on compliance, but if they are not looking at all of the places they are reusing or repurposing code, they still may not have a complete picture of all the ways data is being used — or the places it is being shared.
Regulations have started catching up with the advancements of technology, specifically regarding user privacy, data tracking, and advertising. There are eight new states in the US with Privacy Laws taking effect in 2025. Compliance professionals everywhere want to do the right thing, but it isn’t always that simple.
The largest fines imposed for infractions across the regulatory landscape have one thing in common: user consent.
One of the primary collection points for consent is found on the consent banners which give users control over what types of data they allow to be collected, and for what purpose. When companies don’t know all the third-party code on their website collecting data, they are inadvertently sending user data without consent. This can result in fines or regulatory penalties.
Ignorance Is No Defense
Let’s look at some of the biggest regulatory fines under GDPR since it began in 2018:
- Meta was fined a breathtaking €1.2 billion for transferring EU user data to the US without proper data protections.
- Amazon was fined €746 million for using personal data for targeted advertising without proper consent.
Under CPRA:
- Sephora was fined $1.2 million unauthorized sale of customer data, inability to recognize global opt-out signals, and third-party tracking of consumers.
- Doordash was fined $375,000 for selling consumer data without the ability to opt out.
The age of ignorance as a defense is over. Welcome to the future of user privacy. The time to audit your own compliance is now.
