Fully 62% of business leaders say their companies need to do more to protect data, according to KPMG. Surveys show more consumers are worried about unlawful data sharing, such as through online advertising, than data breaches.
In our work with nearly 100 clients representing 75,000 websites, there are three common online advertising blindspots: misunderstanding the basics of state laws, enabling “dark patterns” and “dark signals”, and permitting “skimmers” to intercept consumer data.
California’s Consumer Privacy Act (CCPA) has been in force since 2020 and at least four new state laws will be enacted in 2023, along with the updated California Privacy Rights Act (CPRA). The hardest part for many CEOs is understanding exactly what risks exist within their advertising and data sharing practices.
How can CEOs protect themselves from regulator fines and damaged reputations?
A. Legal basics: (1) sharing is selling, (2) one opt-out method isn’t enough
EU, UK, and US state data privacy laws require consumers to be able to opt-out of the sale of personal information. Many ad sellers and buyers have narrowly interpreted this wording, believing a sale is only the exchange of data for money. However, the legal interpretation is different.
Under CCPA, the term “sell” is defined as making data available “for monetary or other valuable consideration.” Therefore, it stands to reason that sharing is selling under the current legislation. To remove ambiguity, “selling” has been replaced with “sharing” in the new and more robust CPRA.
While some may think they have until next year to change their practices, we’ve already seen multiple warnings from authorities. California’s Office of the Attorney General sent notice of alleged non-compliance to a manufacturer and retailer of electronics due to third-party trackers that shared data with advertisers.
When we compare the other US laws coming into effect next year, including the Colorado Privacy Act (CPA), the Virginia Consumer Data Protection Act (VCDPA), and the Connecticut Data Protection Act (CTDPA), they are consistent with California law. Consumers have the right to opt out of targeted advertising that uses personal information, ultimately halting the selling or sharing of personal data if done so. To remove doubt, sharing is selling, and this is endemic to nearly all jurisdictions.
The next critical CCPA clause is the use of two or more approved opt out methods such as consent management platforms, web forms, and user-enabled signals like the Global Privacy Control.
Boltive recently conducted a study to see how many of the Fortune 100 are compliant with this clause and discovered that only 33 companies are. Given the current confusion over the definition of “sale” of personal data for targeted advertising, it’s not surprising that there is also uncertainty on the methods to opt out of that process.
B. “Darkness” distorts consumer consent
The use of “dark patterns” is a practice in direct conflict with the CCPA. For example, obfuscating the opt out button on your cookie banner to steer consumers to opt in is a dark pattern.
Dark patterns also put you in the firing line of the FTC, which has the authority under Section 5 of the FTC Act to prosecute organizations “when unfair or deceptive acts or practices are discovered.” Fortunately, dark patterns are within your control and therefore 100% avoidable.
The second problem is “dark signals,” where opt outs are lost in transit. Among the Fortune 100, all are using methods that fail between a third and 100% of the time. Tests reveal that two of the most popular methods, consent management platforms and web forms, create dark signals on average 25-50% of the time.
Boltive has worked with dozens of online publishers and brands to determine dark signals. In one case involving a health content publisher, the rate of consent failures exceeded 51%. We uncovered that one platform handling consumer opt-out requests was responsible for 60% of errors.
Though we may assume the big players, with ample resources, have perfected their data privacy processes, there’s often unknown data leakage. The important question CEOs should ask themselves is – how bad can this get, and what are the repercussions?
C. Enabling online “skimmers” to steal data
Man-in-the-middle skimming of personal data is not new. Take physical card skimmers, which have been attached to ATMs, fuel pumps, and other payment terminals to intercept credit card data.
The data privacy equivalent is sharing with unauthorized data collectors. Fully 89% of online display ads are sold programmatically, according to eMarketer. It’s very easy for vendors to conceal themselves in the programmatic ecosystem of supply-side platforms (SSPs), demand-side platforms (DSPs) and ad exchanges.
Our team analyzed unauthorized data leaks for a leisure firm that received a $24M GDPR fine. The firm had two data partners leaking personal information to five unapproved vendors, one of which was a foreign malware distributor.
Data leakage usually occurs due to one of three reasons:
- Intermediaries get seats on a bid exchange with the pretense they buy or sell ads. Companies then skim consumer data to create and sell profiles to advertisers and agencies.
- Human error can cause credentials of data partners to survive termination. If an employee forgets to turn off credentials of a former vendor, an unauthorized party keeps access to personal information.
- Unethical practices of your partners’ partners. This activity is hard to detect, because without a tool like Boltive Privacy Guard™️, you can’t keep track of how your data “hops” down the line.
My advice to CEOs to mitigate these three risks is:
- Assign a leader(s) for your data privacy program and map your data
Under GDPR laws, companies are required to appoint a Data Protection Officer (DPO) to ensure that the data they process is in compliance with the law. While not required under the CCPA, this is a measure that a), you must do if you handle the data of UK and EU residents and b), I recommend regardless to manage your data privacy processes and steer you clear of non-compliant actions.
Mapping your data across your organization identifies what you’re keeping and where. There are often many pockets of data that different systems have collected that you may not be knowledgeable of, and you should be.
Under the current California legislation, and the other state laws coming in 2023, you must be able to delete consumer data under the right to delete and be able to provide it under the right to access. Knowing where all your data is stored is the first step to staying in control.
- Implement systems to prevent dark patterns, dark signals, and skimmers
Dark patterns mentioned above can be avoided by auditing your website for manipulative tactics and introducing rigorous design practices. These practices should center the user experience over the self-interest of the business.
Dark signals and skimmers can be prevented through manual or automated processes. A manual inspection of US and EU privacy strings is possible using open-source web tools. But a more reliable way is through an online monitoring software that tests for weak links and enables corrective action. Not only does this allow for faster repair of defects, but it also demonstrates to consumers and regulators the highest standards in handling personal information.
This is where our first-to-market service, Boltive Privacy Guard™️, can protect your business by detecting and defending against violations caused by your partners’ practices and consent signal failures. Our technology simulates your consumers’ journeys to verify that consumer consent is working and that downstream partners aren’t sharing data unauthorized.
Don’t put this off – get started today
Data privacy practices are complicated. The confusion around what is and isn’t allowed, even two years after the release of the CCPA, shows that no business is perfect. Accidents happen, technology fails, and other businesses, with whom you directly work or not, may have malicious intent.
Don’t wait for enforcement, because then it will be too late. When new GDPR laws were introduced in 2018, many businesses in Europe were not ready either. But showing the steps already taken and plans to become fully compliant was enough to avoid regulatory action.
In fact, the EDPB governing body says, “The adoption of appropriate measures to mitigate the damage suffered by the data subjects may be considered a mitigating factor, decreasing the amount of the fine.” The same is also true in the US. Colorado Attorney General, Philip Weiser, stated “[o]ur number one priority is those who are willfully noncomplying with the law. That is where our blood is going to most boil,” at an April 2022 privacy conference.
Don’t worry about being perfect. Basic policies combined with monitoring software demonstrate you’re acting in good faith to prevent dark patterns, dark signals, and skimmers.
Written by Dan Frechtling.
Have you read?
The Attention Economy’s Impact on the Retail Industry by Srini Pallia.
Review and Renew your Boundaries to Recharge by Renée Giarrusso.
The 3 Principles of Talent-Centric Organizations by Carol Schultz.
How to Build a Stronger Operation With a Business Process Blueprint by Caroline Broms.
5 Facts about Work-from-Home that Management Doesn’t Want to Admit by Steve Prentice.
Follow CEOWORLD magazine headlines on: Google News, LinkedIn, Twitter, and Facebook.
Thank you for supporting our journalism. Subscribe here.
For media queries, please contact: firstname.lastname@example.org