Privacy Oversights: Why Your Tech Stack Needs an Update
LOKKER’s Ian Cohen offers insights on privacy oversight and why your tech stack needs an update. This article originally appeared on Solutions Review’s Insight Jam, an enterprise IT community enabling the human conversation on AI.
Browsing the web now feels like whack-a-mole if you’re trying to keep your data private and avoid having every website you encounter courting you daily for a relationship. There is an endless appetite for our personal data. As a result, unauthorized data tracking and sharing is pervasive. The task can be daunting for the company trying to comply with a very complex and rapidly changing regulatory environment, because much of this data collection is happening behind the scenes, often without the website owner’s knowledge.
This is a technology issue as a result of cloud services and how they are served, so the problem is inherent in how we build our websites. Since this fact remains a constant–it’s not likely to change anytime soon–IT executives must ensure their tech stack includes effective tools to detect, block, and monitor unauthorized third parties collecting web visitors’ data.
Most privacy solutions on the market fall short and don’t offer real-time detection and blocking. This article explores:
-
The importance of web data privacy for organizations
-
Shortcomings in current technologies that contribute to privacy issues
-
Steps to address privacy gaps in your organization and tech stack
Privacy: A Complex Problem Facing Tech Executives
Privacy legislation is relatively new but expanding rapidly. Since the first comprehensive state privacy law (CCPA) took effect in 2020, 19 more state laws have been passed, with seven states currently enforcing privacy laws, each with slightly different requirements. Industry-specific regulations, such as HIPAA for healthcare and GLBA for financial services, add further complexity. Understanding these requirements is the first challenge for IT executives in building an effective tech stack to manage privacy risks.
Finding the right technology to address these issues is another challenge. While tools like cookie consent managers and data subject rights request systems have emerged as the right technology for areas of compliance, they often lag behind evolving laws and fail to address the full scope of privacy concerns. Our research reveals that over 90% of consent management platforms are misconfigured or have failed to update correctly, leading to data leaks.
Common issues with the consent tools include issues like:
-
Cookies Load Early: Cookies may load before the consent banner appears, allowing user data to be collected even if users select “reject all.”
-
Outdated Banners: Some consent banners aren’t updated in real-time, meaning tracking technologies could be on the website, but not surfaced in the banner for a user to consent to, allowing data collection without consent.
-
Blocking Errors: Data is allowed to be collected even after the user selects “reject all.”
-
Missing Banners: Some website pages lack consent banners entirely.
-
Subjective Categorization: Different companies classify tracking tools differently, leading to inconsistent categorization. Non-essential tools might be listed incorrectly as necessary.
-
Limited Scope: Banners often address only cookies, neglecting other data collection methods like pixels, fingerprinting, and piggybackers.
These are just a few examples. The really concerning part is that most of the time, the people implementing these tools don’t realize they aren’t implemented correctly and are, therefore, unaware that their organization is left vulnerable.
Another challenge for IT leaders is balancing the needs of various stakeholders when selecting privacy technology. Legal, privacy, and compliance teams aim to avoid legal issues and typically recommend tools with the most strict privacy measures. In contrast, marketing teams rely on tracking tools to measure campaign effectiveness, which often conflicts with privacy requirements. Additionally, there is a push towards tech stack consolidation to reduce costs and simplify operations.
IT executives must choose technologies that address privacy concerns, support marketing objectives, and fit within budget constraints. Most of all, the solution needs to work automatically. It must reduce manual work and not introduce new demands. This complex challenge requires deep discovery and evaluation of privacy tools during the sales process to ensure that all requirements and protections are met.
Ahead of the Curve: Proactively Addressing Future Privacy Needs
To effectively navigate the evolving regulatory landscape, IT executives need visibility first and foremost. This visibility must include context, including an understanding of changing market trends, and the regulatory intent behind emerging laws. Although each law may have nuances, a good place to start is to focus on the central objective of these regulations: preventing unauthorized and illegal data collection.
Consider the following questions when evaluating data privacy and consent vendors:
-
How frequently does your platform scan for privacy risks? Does it identify and remediate risks in real time, or does it require manual scans for new trackers and technologies? Platforms that require manual intervention may leave your organization vulnerable if issues take days, weeks, or months to identify.
-
Does your privacy platform address only cookie consent, or does it also protect against unauthorized data sharing through other methods, like session replay tools, trackers, pixels, and fingerprinting? Ensure protection against all types of data collection, not just cookies.
-
Can the platform independently block downstream or piggybacking trackers, and can it block these third parties without removing the primary functionality that product and marketing want? This is crucial for marketers who need consent and want to use platforms for advertising and measurement while keeping data private.
-
Can your platform detect and block newly seen trackers? Trackers can be dynamically introduced in real-time by piggybacking one with another. Without this capability, you can’t keep consumer data safe.
-
How complex is the implementation? The more configuration required, the higher the risk of internal errors if documentation is inadequate. Ask about the configuration needed and whether the default settings ensure compliance with privacy laws.
-
What kind of reports and visibility does the platform provide? Ensure the platform offers insights beneficial to privacy, legal, IT, and marketing teams.
Privacy issues are increasingly complex, thereby exposing your organization to more vulnerabilities. As an IT executive, proactively addressing these challenges with the right tools and processes is essential. As we all know, if it feels overly complex or difficult to integrate, it will probably get much worse once it’s deployed!