Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
This year, California Attorney General Rob Bonta has been active in pursuing enforcement actions under the California Consumer Privacy Act. Bonta has settled numerous cases with large, national and multi-national companies for a wide range of violations — including a USD1.5 million settlement in July, one of the largest privacy violation fines under the CCPA to date.
Among these enforcement actions, opt-out failures have been a central focus.
To underscore California's priority of enforcing compliance with CCPA's opt-out requirements, Bonta announced a joint investigative privacy sweep with Colorado and Connecticut in September. The initiative enforces potential non-compliance with the Global Privacy Control, which automatically communicates consumer opt-out requests to companies, directing them to stop selling or sharing their personal information to third parties.
Numerous regulatory actions to date have found many sites that continue to sell and share visitors' personal information via back-end trackers and pixels, even when users have selected the opt-out on the website banner.
These data-sharing and selling activities often occur without an organization's awareness that it has violated data privacy laws. This is because a complex ecosystem exists behind website banners and webforms, often with automated actions that are difficult to evaluate, understand, or modify. This includes consent management platforms, tag management systems, customer data platforms and downstream third-party data sharing agreements.
Given these complexities and the rising regulatory risk for businesses operating in California and other states with robust data privacy laws, organizations need to proactively evaluate their infrastructure and controls to ensure they are meeting opt-out requirements.
Consent management platform and tag management system integration
Consent management platforms are built to manage consent, not to implement user choice. They provide a customizable banner, consent receipts and cookie management capabilities, such as categorization and scanning services.
However, these tools stop short of controlling traffic and managing dataflows. Tag management systems dictate the tracking technologies that react once certain user conditions are met; they play a critical role in ensuring user choice is honored.
The key here is for the two systems to have a strong handshake. Consent management platforms should load first and ensure choices are captured in a way that can be retrieved by the tag management system. Triggers and exceptions should be configured within the tag management system to ensure trackers only act if they are part of a consented category.
Opt-out for known users
Where users can be known to an organization, their consent choices should consistently apply across devices and channels. Organizations can tap into their identity graphs to ensure consent choices stay with the user throughout their journey.
Global Privacy Control signals should be treated as opt-outs and follow the same implementation as banner opt-outs. Back-end systems should also be set up to honor opt-outs.
Advertising technology governance
Organizations that do not have a rigorous and enforced advertising technology governance program should establish an interdisciplinary team from legal, privacy, information technology, marketing and other relevant business groups to review new online tracking technologies and proactively flag and mitigate risks before production.
Continuous audit and validation
Websites, tracking technologies and privacy requirements are constantly evolving, introducing new opportunities for monetization and areas of risk. Regularly auditing network traffic will enable organizations to proactively identify high-risk online tracking technologies in production; auditing tag management systems will also ensure the triggers, rules and exceptions are up-to-date.
Ongoing improvement may also require regular review of dataflows and documentation of any changes or deviations that could impact the ability to implement opt-out compliance.
At the state-level in the U.S., opt-out implementation gaps are currently at the forefront of regulatory enforcements. Many organizations remain unaware of what these laws require, how they apply to their business, and that they may be inadvertently violating regulations. Evaluating website and data-sharing infrastructure and taking the necessary steps to remediate any non-compliant data usage will help minimize risks and support long-term, resilient data privacy.
Vanesa Hercules, AIGP, CIPM, is a senior director at FTI Technology.
