Digital regulation is in the process of adjusting to a sea of change brought in by legislators at both state, national, and international levels. Following the EU’s GDPR lead, the California Consumer Privacy Act took effect meaning publishers must now ensure sufficient measures are in place to protect the data privacy rights of California residents. Otherwise, they face financial penalties due to noncompliance. Many publishers turned to their consent management platform (CMP) to handle these challenges. However, due to poor consent signals, publishers are concerned about continued monetization efforts.
Data protection actions
All data privacy regulations involve three basic tenets:
- Data Inventory: identification of all data collected, used, shared and stored by the organization. This frequently involves questionnaires and mapping of data touchpoints.
- Technology Adjustments: ability to satisfy requirements for upholding consumer rights such as consent management, digital data tracking restrictions, data tracking categories and more.
Data regulation and browser actions put targeted advertising, cookies, and other persistent identifiers under unprecedented scrutiny unlike ever before. Tracking technologies have not been of much legal concern until recent years and private right of action is prompting companies to think and work smarter.
Even worse, CMPs struggle to send the appropriate signals regarding consent. This is particularly difficult because different markets have different requirements. These unclear signals in RTB muddy the bid process, causing trepidation among AdTech out of fear of serving an ad to an un-consented user. The result? Lowered CPMs for everyone.
Under today’s regulatory environment, the systems by which organizations have previously built their digital ecosystems could cause significant headaches for ad-supported businesses. But it shouldn’t have to be that way. Publishers that take control of their websites and mobile apps can facilitate compliance with any data protection regulation.
The DCN example
The presence of unmanaged third-party vendors and their contribution to widespread data tracking activity are the chief culprits of this digital woe.
Analysis of leading DCN member websites reveals that 81% of the executing code required to render the user experience is from third parties. Other data points include:
- 774: average number of domains executing
- 8%: executing domains are risky
- 138: average number of cookies dropped per user session
- 21% of cookies exhibit lifespans greater than 1 year
With your websites and mobile apps causing this much code executing on consumer devices, you cannot ignore the data compliance risks of external code from service providers and third parties. As a site owner, you must know exactly what personal information your digital assets collect, the reason it’s collected, and who has access to the information. This will help you accomplish two CCPA obligations:
- Provide users with full disclosure of what information you collect from them.
- Inform users in case their data has been misused or shared without consent. If consumer data is leaked or mismanaged, your company (and associated digital vendors) must accept responsibility for the incident and work to recover consumer trust and re-establish the brand’s position.
Approximately 8% of executing, client-side code presents a controllable risk. These domains are overtly malicious, have a history of suspicious activity, or mask their ownership. Inability to verify domain ownership is a red flag; this type of obfuscation is basic tactic adopted by bad actors. Unmanaged third-party code is routinely hijacked and used as a backdoor to infiltrate consumer-facing websites and covertly skim customer data.
Throughout 2019, several big brands made the headlines and found themselves in regulatory hot water because of large scale data attacks by cybercriminals. These breaches resulted in well-known industry giants being slammed with record-breaking regulatory fines and penalties.
Thus, it’s vitally important for companies to implement digital security measures to ensure their CCPA preparedness.
Compliance is not a spectator sport
Compliance is more involved than simply drawing up contracts that require service providers to comply with obligations. You must be just as concerned with ensuring that providers are compliant as you are with upholding your compliance.
Many publishers perceive compliance to be harmful to page views, content consumption, and as a result advertising revenue. However, it has quite the opposite effect. Consumers and advertisers alike gravitate towards businesses that care about their privacy and strive to secure it. They’ll remain loyal to companies that have full visibility and knowledge over the data collection taking place on their sites. They expect companies to be transparent about and communicate all the information that will be collected during a browsing session.
Compliance management can be burdensome and time-consuming without the right tools and expertise. But when procedures are optimized and tools with the capability to provide a broad view of the digital ecosystem are implemented, compliance management can be operationalized and streamlined to gain total control over unauthorized data tracking and take back control of the digital landscape your company operates on.
About the author
Chris Olson co-founded The Media Trust with a goal to transform the internet experience by creating better digital ecosystems to govern assets, connect partners and enable Digital Risk Management. Chris has more than 15 years of experience leading high tech and ad technology start-ups and managing international software development, product and sales teams. Prior to The Media Trust, Chris created an Internet-based transaction system to research, buy and sell media for TV, radio, cable, and online channels. He started his career managing equity and fixed income electronic trading desks for Salomon Brothers, Citibank and Commerzbank AG.